OpenSSL is even more horrifying than I thought it was

Posted on April 13, 2014

Someone recently called my attention to these two posts:

Firstly, OpenSSL shouldn’t be trying to work around broken mallocs. (Since OpenSSL already allows you to supply your own malloc implementation, that’s how users should work around a broken malloc, if they really feel a need to, rather than having a LIFO freelist hardcoded in libssl.) This is one of the two major problems with OpenSSL, in my opinion: it supports way too many esoteric and obsolete systems, and supports them in a way that complicates the code (and thus increases the surface area for bugs) for modern, mainstream operating systems.

Secondly, at the bottom of the second post, it mentions this bug has been reported multiple times (and the fix is only one or two lines), but the bug reports just languish in the bug tracker without being triaged. And there is the second problem with OpenSSL: lack of process. A good open-source project has processes in place for ensuring that bugs get triaged, patches get evaluated, and so forth. OpenSSL’s response to this is usually, “Hey, it’s free, so you can’t complain.” Of course that’s true, but when taken to the extreme, it’s not a useful position. An open-source project presupposes a certain amount of openness and cooperation. Sure, if someone says, “Hey, I want you to implement XYZ new feature for me for free” or “Ugh, your library is horribly buggy” without any specifics, then that’s not constructive. But if someone (or more than one someone) says, “Hey, you have an actual bug that causes incorrect behavior, and here’s the two-line fix for it,” then that’s someone who’s trying to help you. You’re doing yourself and your users a disservice by not triaging bug reports. Why should anyone want to contribute, if they see that others’ contributions haven’t even been looked at by a human? No, OpenSSL, you don’t have to do all the work yourselves, but you do have to do the work of letting the community help you. Engaging with the community is just part of how open source works, and if you’re not doing that, you don’t have a healthy project.