OpenSSL code is a mess, says creator of LibreSSL fork

[Himanshu Arora]

OpenBSD founder Theo de Raadt has created a fork of the OpenSSL cryptographic library that contained the Heartbleed bug, saying that the original code lacks clarity, contains a lot of "discarded leftovers", and is too much of a mess. He was responding to the question why he wanted to start over instead of helping to make OpenSSL better, ArsTechnica reports.

"The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself", de Raadt said.

LibreSSL's code base is on OpenBSD.org, and the project currently supports only OpenBSD. Although there are plans to support multiple operating systems, that'll happen only after the code and funding are shored up. The project is funded by the OpenBSD Foundation and OpenBSD Project.

When asked to elaborate on the term "discarded leftovers", de Raadt says that the OpenSSL project contains thousands of lines of VMS support, WIN 32 support, and FIPS support, which aren't required. In addition, there are thousands of lines of code that the OpenSSL team intended to deprecate 12 years ago, but are still there in the code.

De Raadt says that his team has done a lot of code cleanup, removing almost 90000 lines of C code, and the code still compiles and works fine.

When asked to comment, OpenSSL Software Foundation President Steve Marquess said that he hasn't yet got the chance to look at the LibreSSL's code base. In a blog post last week, Marquess highlighted OpenSSL's struggle to obtain funds and code contributions.

Permalink to story.

https://www.techspot.com/news/56512-openssl-code-is-a-mess-says-creator-of-libressl-fork.html

 

[SirGCal]

Being a developer myself, I'm all about clean code. I can't stand the clutter people do to code these days...

 

[Jad Chaar]

I think creating a new version is better than struggling to repair the existing version.

 

[DelJo63]

@JC713 has a good point, given that the existing base "is a mess".
But "mess" needs to be more than strictly stylistic changes that don't meet the aesthetic values of the reader. "Mess" needs to be nasty control flow problems or function arguments which create complex
"if then else" or nested "if then else" structures that can not be understood. When this happens, the library really needs to be refactored into a new set of functions with single objectives each.

 

[Guest]

Now that large companies are chipping in to help pay for this and other open source infrastructure/security projects, perhaps OpenSSL will have the resources to clean things up.

 

[Guest]

Despite the "mess" that OpenSSL is in, I cannot support the decision to fork and duplicate efforts. Doing so would only further dilute the already-scarce funding and manpower available to open-source development. Hopefully OpenSSL and LibreSSL can find ways to synergise their efforts, at the very least.

 

[cliffordcooley]

If OpenSSL is in a mess, it is probably because it was a work in progress. Now that they can see how the code needs to be, it can be rewritten and probably simplified. I see no reason why OpenSSL should be kept, if LibreSSL can be properly coded as a complete future replacement.