Developers: Heartbleed-Affected OpenSSL Code Is Beyond Repair

OpenSLL is screwed, and as a result we've got Heartbleed. But now a team of developers working to overhaul the code have deemed it beyond repair—and are instead creating an alternative, forked version.

Ars Technica reports that Theo de Raadt and his team have been probing OpenSSL and found it in an absolute mess. In an email to Ars, he explained:

"Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers. The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

So, he and his team have created the LibreSSL code base—a forked version of OpenSSL which essentially starts over. In a little over a week, they've removed 90,000 lines of C code without affecting functionality, which just goes to show how awfully written the OpenSSL standard was.

Still a work in progress, the LibreSSL project has a bare bones website that is left appealing on purpose, declaring that "this page scientifically designed to annoy web hipsters." They're seeking funding and hoping to build an alternative to OpenSSL that doesn't screw us all. Sound pretty great, even if you are a web hipster. [Libre SSL via Ars Technica]

Image by Marsmettnn Tallahasse under Creative Commons license