115
submitted 6 months ago* (last edited 6 months ago) by lemmyreader@lemmy.ml to c/opensource@lemmy.ml

We’re no longer using our old ftp, rsync, and git links for distributing OpenSSL. These were great in their day, but it’s time to move on to something better and safer. ftp://ftp.openssl.org and rsync://rsync.openssl.org are not available anymore. As of June 1, 2024, we’re also going to shut down https://ftp.openssl.org and git://git.openssl.org/openssl.git mirrors.

GitHub is becoming the main distributor of the OpenSSL releases.

top 50 comments
sorted by: hot top controversial new old
[-] UpperBroccoli@lemmy.blahaj.zone 101 points 6 months ago

Good idea, giving Microsoft control over every single open source project. I mean, what could go wrong, right?

[-] lemmyreader@lemmy.ml 72 points 6 months ago

Yes, what would possibly go wrong ? And OpenSSL is only a small and unimportant project and hardly anyone depends on it, right ? Right ? I can dig that they want to get rid of some of their own services but completely giving up on their own git repository ? Let's hope they do mirror the source code on Codeberg or sourcehut.

[-] Deckweiss@lemmy.world 10 points 6 months ago* (last edited 6 months ago)

I'll mirror it on my selfhosted git. Just hit me up when you need the files lol

[-] asbestos@lemmy.world 2 points 6 months ago

I’ll put it up as a torrent soon

[-] lemmyreader@lemmy.ml 2 points 6 months ago
[-] GammaGames@beehaw.org 3 points 6 months ago

Even if they don’t I’m sure many others will

[-] lemmyreader@lemmy.ml 7 points 6 months ago

Well, yes. But let's say the OpenSSL developers copy new changes of source code to GitHub, and something goes wrong after the copying (Think of a malicious attacker breaking in and changes some code), then all the people copying from that one download link will be in the same boat as well.

[-] GammaGames@beehaw.org 5 points 6 months ago* (last edited 6 months ago)

Any official mirrors would sync the changes anyway, it’s automatic

Edit: Oh, I think I misunderstood your point. I agree that hosting the repos themselves would make it harder for randoms to maliciously introduce code

[-] lemmyreader@lemmy.ml 5 points 6 months ago

I was trying to say that if the OpenSSL developers upload new source code to only GitHub and something goes wrong, even for example simply a mistake or failure by GitHub, then other users wanting to download will not have to wait for the OpenSSL developers to repair that problem when OpenSSL project would for example have mirrors on Codeberg or sourcehut or their own git server, the latter which they intend to deprecate.

[-] GammaGames@beehaw.org 3 points 6 months ago

If they were to set up an official mirror it would be automatic, so I don’t think there’s any real way to avoid that problem with their current plan. But you’re right! Sorry for the confusion

[-] lemmyreader@lemmy.ml 1 points 6 months ago
[-] refalo@programming.dev 2 points 6 months ago

What is your definition of harder? I think bugs/breaches are even more likely on personal forges than github. Not that one should rely on github anyways...

[-] GammaGames@beehaw.org 2 points 6 months ago
[-] refalo@programming.dev 1 points 6 months ago* (last edited 6 months ago)

I think "something goes wrong" is even MORE likely to happen on randomdude.com's insecure git forge

[-] ReversalHatchery@beehaw.org 1 points 6 months ago* (last edited 6 months ago)

Codeberg and SourceHut are not really randomdude.com's insecure git forge. Both are doing development on their own services, and those services are not bad, like at all

load more comments (3 replies)
[-] refalo@programming.dev 7 points 6 months ago

Read-only github mirror with read/write on a personal forge seems like one possible approach to make it more accessible/friendly without giving up any control to MS.

[-] mark@programming.dev 48 points 6 months ago

These were great in their day, but it’s time to move on to something better and safer.

How is it "safer" when contributing to the codebase or filing and discussing issues will now require creating an account and giving up personal information to one of the most privacy-invasive tech companies in the world? 😳

[-] lemmyreader@lemmy.ml 14 points 6 months ago
[-] bitfucker@programming.dev 13 points 6 months ago* (last edited 6 months ago)

You are mistaking contributing and distributing.

Edit to clarify: The blog is strictly speaking about the means of distributing the release tarball. Distributing the release tarball has nothing to do with how contribution is accepted or how issue is handled. What they say on the blog is also very clear IMHO and for a good reason. Maintaining infrastructure takes work. Works that if you didn't do it right can be an attack vector. Do you guys remember xz? Do you read how the vulnerabilities came to be? Maintaining a single source of truth for the release tarball can help mitigate that. If one malicious actor can control even one of the distribution channels of the release tarball we get xz 2 electric boogaloo.

[-] kevincox@lemmy.ml 7 points 6 months ago* (last edited 6 months ago)

This announcement is just downloads which will continue to be available anonymously.

[-] Ephera@lemmy.ml 35 points 6 months ago

What the absolute fuck...

[-] bitfucker@programming.dev 24 points 6 months ago

I think a lot of people here read the headine and think OpenSSL is moving everything to github and giving up everything else. It is not. They only moved the means of distributing the release tarball to github and stopped supporting the ftp and rsync. Do not confuse distribution and contribution/development.

[-] ReversalHatchery@beehaw.org 1 points 6 months ago

Aren't they going to shut down their git mirror too, soon?

[-] bitfucker@programming.dev 2 points 6 months ago* (last edited 6 months ago)

Well, I've took it to read it for myself on how they receive contribution, and it always need to be from github anyway unlike say Linux which accept email patches.

[-] refalo@programming.dev 18 points 6 months ago
[-] squeakycat@lemmy.ml 12 points 6 months ago

Considering the absolutely devastating performance hits 3.x brings (and the apparent design failures that make it extremely difficult if not impossible to reclaim it) I wonder if openssl's days are numbered. WolfSSL seems to be favorable to the HAProxy team. Hopefully that can get some traction.

[-] lemmyreader@lemmy.ml 12 points 6 months ago

Good that you mention WolfSSL and that HAProxy team seems to like it. Years ago some Linux distributions made the switch to LibreSSL, but unfortunately that all (?) seems to have failed.

[-] Andromxda@lemmy.dbzer0.com 10 points 6 months ago

That's a pretty bad idea. I highly recommend this awesome write-up by Software Freedom Conservancy: Give Up GitHub!

[-] Auzy@beehaw.org 3 points 6 months ago

Those are fairly weak arguments honestly, none which have anything to do with the features on GitHub itself. In fact, this could have been written by someone who has no development or project management knowledge

Open source projects also don't pay for GitHub.

Here's one counterargument. One of our projects failed because we wasted so much time arguing about the hosting that we didn't get much done. We moved between a few different services and wasted time comparing shortcomings between them.

In practice, migration from GitHub is actually super easy if you ever wanted to because they literally have an API for everything. It also is a really comprehensive service, and a lot of the open source ones are missing things

Im not a fan of Microsoft, but GitHub works really well and you can rely on it to be fully reliable (there have been few outages)

[-] Andromxda@lemmy.dbzer0.com 2 points 6 months ago

but GitHub works really well and you can rely on it to be fully reliable

So does GitLab, Codeberg, sourcehut or self-hosting your own instance of GitLab CE, Gogs, Gitea or Forgejo. Why use GitHub? Especially, when developing open source software? Why use a proprietary software forge run by a Big Tech corporation that uses your code to train some AI model?

load more comments (4 replies)
[-] cupcakezealot@lemmy.blahaj.zone 9 points 6 months ago

sorry i get all my software from download.com

[-] pastermil@sh.itjust.works 8 points 6 months ago

Fuck that... I guess we really should go with LibreSSL after all.

Speaking of, what is its current working state?

[-] lemann@lemmy.dbzer0.com 3 points 6 months ago

I'll take anything that has a compatible command line and library to be honest

Except ffmpeg/libav. I will always want the real ffmpeg 😤

I’ve also seen WolfSSL mentioned, which is HAProxy’s go-to. I haven’t played with it in depth myself though.

[-] MichaelTen@lemmy.world 6 points 6 months ago

Federated Forgejo seems ideal.

[-] refalo@programming.dev 4 points 6 months ago

I didn't think they had federation working yet? And forgefed/vervis isn't ready yet either.

[-] Kushan@lemmy.world 5 points 6 months ago

I doubt many of the commentators here used any of the deprecated methods to contribute to openssl.

It's one thing to talk about what's good for open source, it's quite another to practice it.

[-] toastal@lemmy.ml 1 points 6 months ago

I doubt many commenters here have used a wheelchair ramp to access a public building. Guess we should just remove all those ramps since that accessibility doesn’t affect them. The barrier to entry for setting up a wheel chair ramp is more expensive than offering at least one non-corporate code contribution method.

[-] Kushan@lemmy.world 1 points 6 months ago

Your analogy would fit if the deprecated methods didn't have a higher barrier to entry than using GitHub.

This is less like removing the wheelchair ramps and more like removing the steps at the back of the building.

[-] toastal@lemmy.ml 1 points 6 months ago

Maybe. Maybe if the back steps required an account with a US-based service owned by a publicly-traded megacorporation that is collecting your data as per the ToS just to enter. That’s a helluva barrier that should never be expected for free software.

load more comments (1 replies)
[-] Linkerbaan@lemmy.world 5 points 6 months ago

Weird and worrying choice

[-] TeddyKila@hexbear.net 4 points 6 months ago
[-] panned_cakes@hexbear.net 3 points 6 months ago

better and safer

very ominous considering why most people leave github

[-] erAck@discuss.tchncs.de 2 points 6 months ago

Bad clickbait headline.

load more comments
view more: next ›
this post was submitted on 02 May 2024
115 points (96.0% liked)

Open Source

30919 readers
462 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS