"'Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers,' de Raadt told Ars in an e-mail. […] De Raadt told ZDNet that his team has removed 90,000 lines of C code. 'Even after all those changes, the codebase is still API compatible,' he said. 'Our entire ports tree (8,700 applications) continue to compile and work after all these changes.' The OpenBSD team started working on LibreSSL about a week ago, he told Ars."
"As for Heartbleed, 'the mystery is not that a few overworked volunteers missed this bug', Marquess wrote. 'The mystery is why it hasn’t happened more often.'"
Couldn't agree more. I'm sure there's lots of folks now combing through every line of OpenSSL, trying to find some new 0-day.
A hard fork seems a good option. Fresh start, with no cruft or a bunch of legacy code. Painful, but positive.
2 comments
[ 43.9 ms ] story [ 880 ms ] threadCouldn't agree more. I'm sure there's lots of folks now combing through every line of OpenSSL, trying to find some new 0-day.
A hard fork seems a good option. Fresh start, with no cruft or a bunch of legacy code. Painful, but positive.