Heartbleed continues to cause enormous issues around the globe and is being actively attacked. Saying that, the bulk of solutions and systems out there using OpenSSL have been patched by now so the risk surface is growing smaller and smaller by the day.
OpenSSL President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code. That is paltry compared to many other open source projects and one can easily understand that with such limited resources, it would be very difficult to create a high quality product.
Everyone seems to have woken up now and the Linux Foundation is arranging a 3 yr initiative worth about $4 million to help under-funded open source projects, the first one being OpenSSL.
So hopefully we’re going to be seeing a better staffed OpenSSL project with higher quality code rising out of the ashes soon.
It’s interesting to see that Theo de Raadt’s ( not someone I’ve ever looked up to ) OpenBSD project is forking the code arguing that OpenSSL is full of “discarded leftovers” and unreadable code. Easy to say when you’ve got a big group behind you. I wonder what Theo would’ve said if he’d been the only developer?
