Google is releasing its own independently developed \"fork\" of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks. <\/p>\n
OpenBSD developers \"removed half of the OpenSSL source tree in a week.\" <\/p>\n
\"But well also be more able to import changes from LibreSSL and they are welcome to take changes from us,\" Adam Langley, a widely respected cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. \"We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed.\" <\/p>\n
While it wasn't immediately clear how the forks will functionor when it makes sense to use one over anotherthe following exchange from this Hackernews forum may provide some clues. <\/p>\n
matteotom So from what I understand, Google has a bunch of OpenSSL patches they use. They used to re-apply those patches to each new OpenSSL release, but now they're going to keep their own branch (BoringSSL) and pull and merge changes from OpenSSL? <\/p>\n
What are the costs\/benifits of one method over the other? <\/p>\n
agl I think the costs and benefits are pretty much what you would expect. If your diff from upstream is small, then the tradeoff strongly favours rebasing against upstream and tracking it. <\/p>\n
However, as the diff becomes larger, the tradeoff shifts. I think we passed that point a while back but, since we were going to switch models anyway, I took some time to clean up some bits of the code too. <\/p>\n
tedunangst Fewer surprises. You don't wake up one day and discover that TLS heartbeats have appeared in your library as a result of previous upgrades. Every upstream change has to be reviewed because that's the only way it gets in. Also, local changes are much less likely to be lost as a result of merge conflicts. <\/p>\n
The downside is that you may miss some upstream changes that you do care about. <\/p>\n
<\/p>\n