TechSpot

OpenSSL code is a mess, says creator of LibreSSL fork

  1. OpenBSD founder Theo de Raadt has created a fork of the OpenSSL cryptographic library that contained the Heartbleed bug, saying that the original code lacks clarity, contains a lot of "discarded leftovers", and is too much of a mess. He...

    Read more
     
  2. SirGCal

    SirGCal TS Maniac Posts: 365   +136

    Being a developer myself, I'm all about clean code. I can't stand the clutter people do to code these days...
     
    Jad Chaar likes this.
  3. Jad Chaar

    Jad Chaar TS Evangelist Posts: 6,477   +965

    I think creating a new version is better than struggling to repair the existing version.
     
    SirGCal and jobeard like this.
  4. jobeard

    jobeard TS Ambassador Posts: 9,090   +592

    @JC713 has a good point, given that the existing base "is a mess".
    But "mess" needs to be more than strictly stylistic changes that don't meet the aesthetic values of the reader. "Mess" needs to be nasty control flow problems or function arguments which create complex
    "if then else" or nested "if then else" structures that can not be understood. When this happens, the library really needs to be refactored into a new set of functions with single objectives each.
     
    Jad Chaar likes this.
  5. Now that large companies are chipping in to help pay for this and other open source infrastructure/security projects, perhaps OpenSSL will have the resources to clean things up.
     
  6. Despite the "mess" that OpenSSL is in, I cannot support the decision to fork and duplicate efforts. Doing so would only further dilute the already-scarce funding and manpower available to open-source development. Hopefully OpenSSL and LibreSSL can find ways to synergise their efforts, at the very least.
     
  7. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 8,430   +2,820

    If OpenSSL is in a mess, it is probably because it was a work in progress. Now that they can see how the code needs to be, it can be rewritten and probably simplified. I see no reason why OpenSSL should be kept, if LibreSSL can be properly coded as a complete future replacement.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...