Date: Mon, 2 Jun 2014 17:14:04 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: info@...uxfoundation.org, admin@...ncryptoaudit.org, mgreen@...jhu.edu Subject: Re: Linux Foundation OpenSSL audit On Fri, May 30, 2014 at 03:20:29AM +0000, mancha wrote: > The Linux Foundation's Core Infratructure Initiative (CII), born > during the aftermath of Heartbleed, has announced five new corporate > sponsors as well as its immediate plans to support the NTP, OpenSSH, > and OpenSSL projects.  > > I applaud both the Linux Foundation and all its corporate sponsors for > their inspiring leadership and vision. > > In the case of OpenSSL, some of the funding will be channeled through > the Open Crypto Audit Project (OCAP) which is being charged with its > security audit. > > OCAP can benefit greatly from reviewing OpenBSD's ongoing OpenSSL > audit/review process which was the genesis for LibreSSL. I am cc'ing > OCAP so they might comment on how the LibreSSL effort will factor into > their workplan. > > Further, I am aware the OpenBSD Foundation has reached out to CII to > request LibreSSL funding support. Given OpenBSD's solid track record > and the leadership and initiative they've demonstrated through > LibreSSL, I would appreciate if CII (also cc'd) would comment on that > outstanding request. > > Many thanks. > > --mancha > >  > http://www.linuxfoundation.org/news-media/announcements/2014/05/core-infrastructure-initiative-announces-new-backers > To clarify my last post, I have no affiliation to OpenBSD or OpenSSL. However, having contributed to both OpenSSL and LibreSSL (albeit modestly) and having been actively tracking both projects, I've seen many synergies in action. For example, LibreSSL has taken issues/fixes directly from OpenSSL's RT tracker while OpenSSL has adopted/modified fixes from LibreSSL. As the security community is aware of, moreso than most regular end-users, this positive feedback mechanism benefits both projects and ultimately everyone within the ecosystem. In that sense, supporting OpenSSL and LibreSSL sequentially rather than concurrently limits the role CII can play in catalyzing synergies between the projects. Moreover, if CII support helps OpenBSD realize/accelerate a portable LibreSSL version, users on many platforms will benefit from the increased choice - competition breeds success. Matt, I have added you to the CC list because as co-founder of OCAP you can share with us how the progress OpenBSD has already made with auditing OpenSSL will factor into OCAP's own OpenSSL audit. And, because you also sit on CII's advisory board, you might be able to help us by forwarding this thread to the appropriate person(s) at CII so they can elaborate on how OpenBSD's LibreSSL support request is progressing. Many thanks. [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ