i am, incidentally, going to continue posting "the openssl maintainers are irresponsible" threads every time they do something irresponsible and its brought to my attention. squeaky wheels get grease, after all.
it has been 8 years since heartbleed, and 7 years since The Linux Foundation began their experiment in ensuring OpenSSL maintenance was properly funded so that they had the correct incentives to properly manage their project in a responsible way.
in my opinion: this experiment has been a total failure. LF / ISRG could have spent this money on commissioning a replacement FIPS-validated TLS implementation and funding the work for projects to switch away from OpenSSL instead. it should have.
to say that LF / ISRG failed to get the desired return on investment is an understatement. their ongoing investment has gotten us a legally dubious relicensing effort, and functionality nobody wanted except for those responsible for selling FIPS modules
anyway, the state of OpenSSL speaks for itself. i'll just continue to highlight why this experiment has been a failure. we should have used Heartbleed as the excuse to rid ourselves of OpenSSL.
@ariadne is LibreSSL a better replacement?
@brunomiguel like all things, there are pros and cons
@brunomiguel ARIADNES FOR THE ARIADNE GOD
@ariadne we should not be relying on ad hoc procedures for critical infrastructure but, well, freedumb!
OpenSSL 3 is a total disaster from a technical perspective, the providers framework is unnecessarily complex, has introduced performance and backwards compatibility regressions, and only exists to satisfy commercial FIPS module licensing.