i am, incidentally, going to continue posting "the openssl maintainers are irresponsible" threads every time they do something irresponsible and its brought to my attention. squeaky wheels get grease, after all.


it has been 8 years since heartbleed, and 7 years since The Linux Foundation began their experiment in ensuring OpenSSL maintenance was properly funded so that they had the correct incentives to properly manage their project in a responsible way.

in my opinion: this experiment has been a total failure. LF / ISRG could have spent this money on commissioning a replacement FIPS-validated TLS implementation and funding the work for projects to switch away from OpenSSL instead. it should have.

OpenSSL 3 is a total disaster from a technical perspective, the providers framework is unnecessarily complex, has introduced performance and backwards compatibility regressions, and only exists to satisfy commercial FIPS module licensing.

to say that LF / ISRG failed to get the desired return on investment is an understatement. their ongoing investment has gotten us a legally dubious relicensing effort, and functionality nobody wanted except for those responsible for selling FIPS modules

anyway, the state of OpenSSL speaks for itself. i'll just continue to highlight why this experiment has been a failure. we should have used Heartbleed as the excuse to rid ourselves of OpenSSL.

@ariadne we should not be relying on ad hoc procedures for critical infrastructure but, well, freedumb!

Sign in to participate in the conversation
Treehouse Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!