On Wed, Jun 04, 2014 at 09:14:18AM +1000, Peter Waltenberg wrote:
>
> This is NOT the Linux kernel, the Linux kernel is directly funded by
> several of the larger companies, they have employees contributing directly
> on the kernel, with access to internal hardware resources.
Yes, and I'm saying people aren't thinking big enough. OpenSSL is
critical infrastructure. There's a reason why the Linux Foundation's
Critical Infrastructure Initiative is funding two people to work full
time on making OpenSSL better. (ObDisclosure: I'm on the CII
technical advisory board.)
If there are resources you need, people should *ask*. There may be
solutions you haven't thought of. For example, one mechanism that has
been used before is to have the hardware donated to the Oregon State
University's Open Source Lab. IBM has used this to make Power systems
available to open source developers, for example. So there are ways
to get access to machines without requiring that you pay for the power
and hosting fees.
Don't assume that the answer is that can't be done, so we need to keep
horrible macros and #ifdef's and be really hesitant making changes
lest we break some dead architecture that might not being maintained,
or for some router company that might not take an updated OpenSSL to
support some hardware which is ten years old. There may very well be
solutions you haven't thought of yet.
> I think the best you'd manage is insisting that larger companies wanting
> support run some sort of continuous build system internally and feed
> results back to the OpenSSL team.
And this is also not hard. Now that OpenSSL is using git, it's really
trivially easy have companies do this and feed results back. Intel
has a team in China doing this for pretty much every single major
kernel developer's git tree. I can push an ext4 to a test git branch,
and if I've forgotten to run sparse (a static code analyzer) and fix
any problems, within *minutes* I'll get back an e-mail indicating that
my pushed test code has introduced new code warnings. And this is
done *before* my code hits linux-next, or Linus's mainline tree.
You don't think OpenSSL isn't similarly important? And that companies
won't provide similar continuous testing if you ask? Especially after
all of notice that was raised after the Heartbeat scare (which
admittedly wasn't even the worse SSL bug in the last couple of
months), this is really a good time to ask companies for this kind of
support.
Cheers,
- Ted
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
