It’s been a week and change since the first LibreSSL portable release was announced to much sturm und drang. (To quote WP, “extremes of emotion were given free expression in reaction to the perceived constraints of rationalism”. Not be to taken too literally.) I’m not directly involved, but a few thoughts and reflections on the release and its reception. (Deliberately missing some links; do your own digging if you care.)
Most people seemed pretty happy with the release. That was good. There were a few portability wrinkles. They got fixed. That was good.
Then there were the LibreSSL is an unsafe catastrophe fun times. My earlier thoughts.
Now what was missing was any mention of prior art. Like CVE-2013-1900. Is PostgreSQL unsafe? Or CVE-2014-0017. Is stunnel unsafe? These are real programs, presumably trying to be secure, with real exploits. Not carefully crafted samples that aided in their own exploitation. Perhaps it’s OpenSSL that’s unsafe? It’s not like OpenSSL hasn’t had its own fixes for trouble with pid reuse.
I don’t have much involvement in portable, but I definitely had a hand in neutering the RAND and egd interfaces. Contrary to some commentary, we didn’t neuter these interfaces because we didn’t know what they were. We neutered them because we know precisely what they are. They’re fucking stupid.
The next turn of events was the notion that the getpid/atfork fixes were then rushed out the door. It’s sad when “Bug fixed in timely manner” is headline worthy news. It’s twisted when it’s spun as something bad. What else should one do after receiving a bug report via blog post via front page news? Sit on it? What purpose would that serve? Or, phrased differently, what narrative does a delayed fix facilitate?
Finally came the report that the atfork fix was all wrong, which was then edited to be rather less wrong. Hey, that’s ok, we all make mistakes. I’m more disappointed with the chorus of tweeters and sharers and likers who rushed to spread the bad news without apparently reading or understanding it, simply because it slotted nicely into the “wrong wrong wrong” story they had going.
Not to say all criticism is unwarranted or unwelcome. Indeed, with every release, Bob specifically asks for criticism, though I think he calls it feedback.
Rather, not every bug is a catastrophe. Not every release is rushed. Sometimes vulnerabilities are overblown, not just “overblown”. When reporting consists of stringing together “one” “word” “quotes”, it’s not journalism; it’s dramamongering.
Whether for serious or for fun, phk and djb have each conjectured a massive all encompassing conspiracy dedicated to maintaining the status quo and preventing the development of secure software. I’m not sure I believe in such a conspiracy, but I am certain that should it exist, it could not possibly hope to be more disruptive. On the one hand we have people claiming the OpenSSL API is too broken to work with (they may have a point); on the other hand we have people demanding that we maintain every last misfeature piece of shit function in that API.
Do you want software to stop being shit? Then stop expecting... nay, stop demanding that software be shit.