Re: Improving structure and governance
On 4/25/2014 9:33 PM, Awi wrote: As a US based organization, Apache is unsuited and (given fairly recent public news) untrusted to have any power of a project such as OpenSSL. Additionally, the Apache foundation has accumulated so many important projects over the last few years that it they are becoming a single point of failure for too many things (or too big to fail as it is called in some other sectors). Thus I think a different organization would be needed if OpenSSL were to give up its independence. There is a similar thread on the openssl-dev mailing list and it was mentioned there about this project: http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the So it's likely that in one way or another OpenSSL will be influenced by US based organization(s). The involvement of Microsoft, makes this initiative highly suspect, and I wish the Linux Foundation had told them to get lost. Ever since its foundation, Microsoft has used every underhanded trick in the book to sabotage open source projects (just remember Bill Gates open letter on the subject decades ago). As long as Microsoft, Oracle etc. (or any of their friends) have any direct or indirect influence over this fund, it should be shunned like poison, even by projects not concerned with specific issues of US influence. I guess someone at the Linux Foundation got caught up in the heartbleed panic and fell for the We must do something, this is something, so we must do this fallacy. Note that I am not an FSF fanatic, I truly believe in the cooperation of open and closed source projects, and make my living from closed source. But I am sufficiently experienced to see the damage certain other closed source companies can and will do to open source projects relied upon by other companies. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
The involvement of Microsoft, makes this initiative highly suspect, and I wish the Linux Foundation had told them to get lost. Ever since its foundation, Microsoft has used every underhanded trick in the book to sabotage open source projects (just remember Bill Gates open letter on the subject decades ago). Recall that OpenSSL is used to implement the Secure Boot feature in UEFI firmware. Any modern system that has a Windows8 logo on it has OpenSSL in their firmware, unless firmware vendor or OEM replaced OpenSSL with another crypto lib. So MSFT does have a dependence of OpenSSL working, else Windows can no longer Securely Boot. :-) And Microsoft and Linux Foundation work together with getting the Linux EFI Shim signed so Linux can boot on these WindowsPCs. :-( Granted, commercial SUSE/RHAT/Ubuntu servers can get Secure Boot to work w/o MSFT certs, but those are expensive enterprise boxes, no consumer devices like this. :-( The TianoCore.org project maintains a patch of OpenSSL (0.9x, not 1.x). https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt BTW, it's a shame that OpenSSL doesn't integrate that patch, and have some UEFI-targetting compiler directive to integrate it. There's also an old bug/feature in OpenSSL, related to UEFI use of intermediate CAs, which UEFI is waiting for OpenSSL to deal with. It is a shame that this has been unresolved for years. http://sourceforge.net/p/edk2/mailman/message/29329799/ http://marc.info/?l=openssl-usersm=128943213002702 OpenSSL's use in nearly all modern systems' firmware seems like a mainstream enough usage that they should take the EFI patch, and maybe help with the intermediate CA feature/bug. I hope new structure/governance in post-Heartbleed era will also take into account OpenSSL's widespread use in modern firmware, not just OS and app usage. Thanks, Lee __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
On 30/04/2014 4:23 AM, Blibbet wrote: The TianoCore.org project maintains a patch of OpenSSL (0.9x, not 1.x). https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt BTW, it's a shame that OpenSSL doesn't integrate that patch, and have some UEFI-targetting compiler directive to integrate it. https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch If you read through the patch you'll quickly see why in its present form it is unsuitable for integration. e.g. globally changing SMIME across from sha1 to sha256 isn't something a user would expect to see nor would a global disabling of all time based checking for certificate validity periods. I also haven't seen any RT issue matching this raised - perhaps it was somewhat indirect. But if anyone from the TianoCore project is interested in engaging on working through this issue then they should open an RT item so it can be tracked. Tim. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
As a US based organization, Apache is unsuited and (given fairly recent public news) untrusted to have any power of a project such as OpenSSL. Additionally, the Apache foundation has accumulated so many important projects over the last few years that it they are becoming a single point of failure for too many things (or too big to fail as it is called in some other sectors). Thus I think a different organization would be needed if OpenSSL were to give up its independence. There is a similar thread on the openssl-dev mailing list and it was mentioned there about this project: http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the So it's likely that in one way or another OpenSSL will be influenced by US based organization(s). Regards, AW __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
On 4/25/2014 3:36 PM, Salz, Rich wrote: While we’re still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there. Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such. Or perhaps consider adopting a large portion of their “rules.” As a US based organization, Apache is unsuited and (given fairly recent public news) untrusted to have any power of a project such as OpenSSL. Additionally, the Apache foundation has accumulated so many important projects over the last few years that it they are becoming a single point of failure for too many things (or too big to fail as it is called in some other sectors). Thus I think a different organization would be needed if OpenSSL were to give up its independence. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
I've been thinking that the OpenSSL Foundation really needs to do better than simply being open to individual funders. A lot of companies use the libraries, and asking for some proper do-re-mi is completely kosher. More on this later, I'm in Florida this weekend (feel sorry for me). - M On Fri, Apr 25, 2014 at 6:36 AM, Salz, Rich rs...@akamai.com wrote: While we're still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there. Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such. Or perhaps consider adopting a large portion of their rules. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz
Re: Improving structure and governance
As a US based organization, Apache is unsuited and (given fairly recent public news) untrusted to have any power of a project such as OpenSSL. Additionally, the Apache foundation has accumulated so many important projects over the last few years that it they are becoming a single point of failure for too many things (or too big to fail as it is called in some other sectors). Thus I think a different organization would be needed if OpenSSL were to give up its independence. There is a similar thread on the openssl-dev mailing list and it was mentioned there about this project: http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the So it's likely that in one way or another OpenSSL will be influenced by US based organization(s). Regards, AW __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org