> "IBM, Microsoft, Facebook, Google, others pledge $3.6 million to fund OpenSSL (arstechnica.com)"

The title of this submission is incorrect. The funding goes to the general fund, not specifically to OpenSSL.

Here's the press release this article is based on:

http://www.linuxfoundation.org/news-media/announcements/2014...

And here's the actual initiative:

http://www.linuxfoundation.org/programs/core-infrastructure-...

Discussed here:

https://news.ycombinator.com/item?id=7639835

Thank you. We'll bury the current post as a dupe of 7639835.

After the hearthbleed incident at least a title was expected.

If they funded OpenBSD's project portfolio (including LibreSSL), they'd get a heck of a lot more out of it for their money.

I asked Zemlin (Linux Foundation executive chairman) about that yesterday. He wasn't familiar enough with the LibreSSL project (and obviously the OpenBSD guys have different goals in some regards, than the OpenSSL guys) to comment, but the idea is that this initiative would support any project that is important to the well-being of the net.

But even if LibreSSL is a huge success, OpenSSL isn't going to go away and it's important that that existing project get support from the people that use it an benefit from it the most. Which is exactly what is happening.

> OpenSSL isn't going to go away

This reminds me of XFree86. Some said XFree86 would still be around after the X.org fork. The culture of XFree86 was so bad though that the project was effectively abandoned by everyone except for the "leader" David Dawes before X.org was even operational.

Projects with poisoned cultures appear to die off. With the ratty code-base and aversion to contributions by OpenSSL it seems like a good candidate for abandonment.

Exactly

The LibreSSL guys are much more willing to tackle the problems, remove all backwards compatible crud and modernize it. Because the things they are removing are jaw dropping: http://opensslrampage.org

OpenSSL looks like a mice nest

That's true -- but the circumstances are notably different.

1. xFree86 kicked Keith Packard out and he joined up with Xorg/free desktop. 2. Most XFree86 devs migrated to X.org 3. The License Change. And this is key. The switch to a GPL v2-incompatible license. that made it incompatible with the Linux kernel and almost every project.

Moreover, the major users of XFree86 were linux and Unix-like distro. That's a big market but comparably small with the number of projects that use OpenSSL.

Could OpenSSL disappear? Yes. But it won't happen overnight, simply because of the existing number of projects that use it.

But they don't want to run OpenBSD.

Everyone who relies on ssh should be sending OpenBSD a bit of cash.

One doesn't need to run OpenBSD to benefit from the work the project has done. You are most likely benefitting from it no matter what OS you use.

OpenSSL source code is a disaster. It's spaghetti that doesn't do what you think it does with horrible documentation. People submit patches from people they don't even know and then you have it: An SSL library that is flawed but everyone is using it. An spying agency and hackers dream.

We don't need OpenSSL, we need another library built from scratch with very clean code and documentation.

Everyone who has more interest on why OpenSSL is a catastrophe should watch operation ORCHESTRA[0].

[0] https://www.youtube.com/watch?v=fwcl17Q0bpk

> built from scratch

With ya up until this. The core crypto code works. The framework around it is aged, crufty, and could use a refactor/rewrite. But tossing the baby out is not useful here. Just wash the kid and put on some new clothes and he'll fit right in again.

LibreSSL is going in the right direction (specific questionable decisions notwithstanding). Hopefully someone will bring over some of that love to the main codebase.

Agreed. Even Theo sees the value in a popular but crappy crypto lib that works that just needs a good gutting. Starting from scratch would be costly reinventing a security wheel and likely incompatible with OpenSSL... IOW dead-on-arrival.

> We don't need OpenSSL, we need another library built from scratch with very clean code and documentation.

Well, feel free to hop to it, then.

If you've known about this for a while and haven't done anything, then you're part of the problem.

This comes off as a few companies trying to throw money at a rotten crypto lib, when only leadership like Theo's way (minimalism, dropping features) would have a prayer of rescuing it. So giving OpenSSL more money doesn't make sense, it's like rewarding failure because they've shown an inability to produce good code or maintain it well... More money won't help that, likely the opposite. Instead, TLS WG needs to get their act together and reduce their addiction to feature creep, release a reference library and comprehensive test suite. Then OpenSSL might have a chance after picking up a compass and a map and get back to some semblance of being a decent crypto lib, but more money is unlikely to solve this issue.

This, along with Google and others devoting employees like Neel Mehta to it should go a long way.

They're throwing good money after bad pretty much. IMO they should fund LibreSSL + OpenBSD + OpenSSH, bound to get more bang for buck.

how about they each chip in $10K each year for OpenSSH?

They might, indirectly. OpenSSH would seem like a good candidate for funding from the Core Infrastructure Program.

Wow, with this money they could just rewrite that thing and get the source audited and tested.