We’re no longer using our old ftp, rsync, and git links for distributing OpenSSL. These were great in their day, but it’s time to move on to something better and safer. ftp://ftp.openssl.org and rsync://rsync.openssl.org are not available anymore. As of June 1, 2024, we’re also going to shut down https://ftp.openssl.org and git://git.openssl.org/openssl.git mirrors.

GitHub is becoming the main distributor of the OpenSSL releases.

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      70
      ·
      6 months ago

      Yes, what would possibly go wrong ? And OpenSSL is only a small and unimportant project and hardly anyone depends on it, right ? Right ? I can dig that they want to get rid of some of their own services but completely giving up on their own git repository ? Let’s hope they do mirror the source code on Codeberg or sourcehut.

      • Deckweiss@lemmy.world
        link
        fedilink
        arrow-up
        11
        arrow-down
        1
        ·
        edit-2
        6 months ago

        I’ll mirror it on my selfhosted git. Just hit me up when you need the files lol

        • lemmyreader@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          7
          ·
          6 months ago

          Well, yes. But let’s say the OpenSSL developers copy new changes of source code to GitHub, and something goes wrong after the copying (Think of a malicious attacker breaking in and changes some code), then all the people copying from that one download link will be in the same boat as well.

          • Gamma@beehaw.org
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            6 months ago

            Any official mirrors would sync the changes anyway, it’s automatic

            Edit: Oh, I think I misunderstood your point. I agree that hosting the repos themselves would make it harder for randoms to maliciously introduce code

            • lemmyreader@lemmy.mlOP
              link
              fedilink
              English
              arrow-up
              5
              ·
              6 months ago

              I was trying to say that if the OpenSSL developers upload new source code to only GitHub and something goes wrong, even for example simply a mistake or failure by GitHub, then other users wanting to download will not have to wait for the OpenSSL developers to repair that problem when OpenSSL project would for example have mirrors on Codeberg or sourcehut or their own git server, the latter which they intend to deprecate.

              • Gamma@beehaw.org
                link
                fedilink
                English
                arrow-up
                3
                ·
                6 months ago

                If they were to set up an official mirror it would be automatic, so I don’t think there’s any real way to avoid that problem with their current plan. But you’re right! Sorry for the confusion

            • refalo@programming.dev
              link
              fedilink
              arrow-up
              2
              ·
              6 months ago

              What is your definition of harder? I think bugs/breaches are even more likely on personal forges than github. Not that one should rely on github anyways…

            • toastal@lemmy.ml
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              6 months ago

              Microsoft GitHub is riddled with bugs, is down at least once a month, & throttles non-Western IPs.

              • Auzy@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                6 months ago

                What bugs? Be specific…

                Also, I can’t remember the last time Github has been offline for me (in the last 3.5 years of using it at work)

                • toastal@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  6 months ago

                  The one I ran into 2 days ago was a user approving a pull request while I was requesting their & other maintainers review. It canceled their approval & I had to fetch them to reapprove since in that project no-green-checkmark-no-merge. It should not have erased their approval.

                  I bet you live in the West. My daytime, there are heaps of outages.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      8
      arrow-down
      1
      ·
      6 months ago

      Read-only github mirror with read/write on a personal forge seems like one possible approach to make it more accessible/friendly without giving up any control to MS.

  • mark@programming.dev
    link
    fedilink
    arrow-up
    51
    arrow-down
    3
    ·
    6 months ago

    These were great in their day, but it’s time to move on to something better and safer.

    How is it “safer” when contributing to the codebase or filing and discussing issues will now require creating an account and giving up personal information to one of the most privacy-invasive tech companies in the world? 😳

    • bitfucker@programming.dev
      link
      fedilink
      arrow-up
      14
      arrow-down
      1
      ·
      edit-2
      6 months ago

      You are mistaking contributing and distributing.

      Edit to clarify: The blog is strictly speaking about the means of distributing the release tarball. Distributing the release tarball has nothing to do with how contribution is accepted or how issue is handled. What they say on the blog is also very clear IMHO and for a good reason. Maintaining infrastructure takes work. Works that if you didn’t do it right can be an attack vector. Do you guys remember xz? Do you read how the vulnerabilities came to be? Maintaining a single source of truth for the release tarball can help mitigate that. If one malicious actor can control even one of the distribution channels of the release tarball we get xz 2 electric boogaloo.

    • kevincox@lemmy.mlM
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      6 months ago

      This announcement is just downloads which will continue to be available anonymously.

  • bitfucker@programming.dev
    link
    fedilink
    arrow-up
    24
    arrow-down
    1
    ·
    6 months ago

    I think a lot of people here read the headine and think OpenSSL is moving everything to github and giving up everything else. It is not. They only moved the means of distributing the release tarball to github and stopped supporting the ftp and rsync. Do not confuse distribution and contribution/development.

  • squeakycat@lemmy.ml
    link
    fedilink
    arrow-up
    12
    ·
    6 months ago

    Considering the absolutely devastating performance hits 3.x brings (and the apparent design failures that make it extremely difficult if not impossible to reclaim it) I wonder if openssl’s days are numbered. WolfSSL seems to be favorable to the HAProxy team. Hopefully that can get some traction.

    • Auzy@beehaw.org
      link
      fedilink
      arrow-up
      6
      arrow-down
      3
      ·
      6 months ago

      Those are fairly weak arguments honestly, none which have anything to do with the features on GitHub itself. In fact, this could have been written by someone who has no development or project management knowledge

      Open source projects also don’t pay for GitHub.

      Here’s one counterargument. One of our projects failed because we wasted so much time arguing about the hosting that we didn’t get much done. We moved between a few different services and wasted time comparing shortcomings between them.

      In practice, migration from GitHub is actually super easy if you ever wanted to because they literally have an API for everything. It also is a really comprehensive service, and a lot of the open source ones are missing things

      Im not a fan of Microsoft, but GitHub works really well and you can rely on it to be fully reliable (there have been few outages)

      • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        but GitHub works really well and you can rely on it to be fully reliable

        So does GitLab, Codeberg, sourcehut or self-hosting your own instance of GitLab CE, Gogs, Gitea or Forgejo. Why use GitHub? Especially, when developing open source software? Why use a proprietary software forge run by a Big Tech corporation that uses your code to train some AI model?

        • Auzy@beehaw.org
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          edit-2
          6 months ago

          Again, the productivity is what matters. You dont think they could train copilot if it’s hosted on a remote git repo?

          Also, are you going to do the self hosting for them? It uses a lot of resources and time to self host. Again, nobody knows this better than us.

          Also, what have you contributed to openssl lately? Resources? Money?

          Switching hosting isn’t a two second job either. There is a serious hit to productivity during migration for everyone, including distros.

          Are they allowed to use vs code to develop too? Or do they need to change?

          Nothing helps open source succeed better than productivity. Also, if they can train copilot with open ssl, good luck. Apparently the code is difficult

          Also, there is always the possibility some of these smaller ones go bankrupt. GitHub is highly unlikely to

          • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            Again, the productivity is what matters.

            I don’t know how GitLab would make anyone terribly unproductive. I see many FOSS projects or even entire (proprietary) software companies choosing GitLab for source code management. In fact, the company I work at (a government contractor) uses GitLab, as well as many other FOSS tools. And it’s definitely not a FOSS company, our main customers are the police and military.

            You dont think they could train copilot if it’s hosted on a remote git repo?

            Sure, but their first choice for a data source is GitHub. For other platforms, they would need to develop and maintain an indexer/crawler (which you can block), which costs time and thus money. Just think about it, why would you upload my code to a platform, when you know that the owner of that platform actually hates FOSS and only wants to profit from it?

            Also, what have you contributed to openssl lately? Resources? Money?

            What has Microsoft recently contributed to the FOSS community? I mean truly contributed. Why should a FOSS project use their proprietary products when other free (both as in price and as in freedom) alternatives exist?

            Are they allowed to use vs code to develop too? Or do they need to change?

            Dumb argument. The code editor/IDE is a personal choice of each developer. The software forge isn’t. I really doubt that anyone at OpenSSL is using VSCode (a bloated JavaScript mess) for C development. But if you need to use it, there’s VSCodium which is completely open source and removes the Microsoft tracking.

            Also, there is always the possibility some of these smaller ones go bankrupt. GitHub is highly unlikely to

            So is GitLab

            • Auzy@beehaw.org
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              6 months ago

              I don’t know how GitLab would make anyone terribly unproductive. I see many FOSS projects or even entire (proprietary) software companies choosing GitLab for source code management. In fact, the company I work at (a government contractor) uses GitLab, as well as many other FOSS tools. And it’s definitely not a FOSS company, our main customers are the police and military.

              The switch process will be terribly unproductive. Also, even the process of discussing the change is a nightmare. Don’t forget all the backend stuff that needs to change too from all downstream. It’s not as easy as using the API and tools to copy the repo in this case… Everyone from Fedora to Zedora is affected on their side because the upstream address will change

              Sure, but their first choice for a data source is GitHub. For other platforms, they would need to develop and maintain an indexer/crawler (which you can block), which costs time and thus money. Just think about it, why would you upload my code to a platform, when you know that the owner of that platform actually hates FOSS and only wants to profit from it?

              Microsoft actually contributes a lot to open source… Why would they need an indexer / crawler? They already index everything using bing… Then they just need a git pull.

              What has Microsoft recently contributed to the FOSS community? I mean truly contributed. Why should a FOSS project use their proprietary products when other free (both as in price and as in freedom) alternatives exist?

              Because they work… Switching platforms offers no real benefits in any way, and Github is free for open source projects.

              Dumb argument. The code editor/IDE is a personal choice of each developer. The software forge isn’t. I really doubt that anyone at OpenSSL is using VSCode (a bloated JavaScript mess) for C development. But if you need to use it, there’s VSCodium which is completely open source and removes the Microsoft tracking.

              Yeah… Sure… Every developer I know these days except one uses VSCode. And we took him off the main team in our company because he was taking too long to do things (because we are all using copilot).

              What exactly do you think Microsoft is tracking? Do you think they’re peeking on developer webcams? Nope… https://code.visualstudio.com/docs/getstarted/telemetry . Crash reports are normal… Its all GDPR anyway. I don’t care if Microsoft knows what language I’m developing on

              So is GitLab

              Cool… I’ll just leave this here: https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/

              People should use what they want. It’s actually bad for the community when people who contribute nothing try to project manage projects they have nothing to do with. It’s their decision… If you don’t like it, fork OpenSSL to Gitlab and do your own thing… Trust me, you’ll notice that choosing Github vs Gitlab doesn’t affect project success.

              • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                I don’t know why you are trying to paint the picture that everything except GitHub is extremely unstable and makes everyone unproductive. It’s definitely not the case, I can tell you that from years of experience in both corporate and FOSS software development. Haven’t heard from any project that migrated from GitLab/Codeberg/sourcehut to GitHub, it’s always the other way around. I often see abandoned GitHub repos with links to new repos on Codeberg or sourcehut. Because people don’t want to use Microsofts proprietary garbage. And somehow they don’t have any issues with suddenly being unproductive after switching away from GitHub.

                They already index everything using bing…

                Bing is such a piece of shut (just like most other Microsoft software) that I actually forgot it existed, because no normal person on this planet uses it

                Yeah… Sure… Every developer I know these days except one uses VSCode

                What programming language do you use? JavaScript?

                Microsoft actually contributes a lot to open source

                For example? Name a full FOSS microsoft program that can be used on it’s own. Most of the things I see on github.com/microsoft are just some obscure libraries or other developer tools that no one uses. Sure, VSCode. But the build you can download from Microsoft’s website isn’t even FOSS. They don’t offer downloads for Code - OSS. The new Windows terminal? Only usable on the otherwise completely proprietary, bloated, ad-infested, data-extracting Windows operating system. Terminals aren’t used by most people either, I think I could almost call this a developer tool. The Windows Calculator? Wow, what a great contribution to the FOSS world. And meanwhile they make billions from selling proprietary software. Microsoft never truly supported the FOSS community and likely never will.

                Cool… I’ll just leave this here: https://arstechnica.com/security/2024/05/0-click-gitlab-hijacking-flaw-under-active-exploit-with-thousands-still-unpatched/

                No software is perfect. Just look at all of the critical vulnerabilities Windows has had, EternalBlue (CVE-2017-0144) is a perfect example.

                It’s their decision…

                Of course it’s their decision, but it’s my right to criticize it, because I think it’s a bad decision.

  • pastermil@sh.itjust.works
    link
    fedilink
    arrow-up
    8
    ·
    6 months ago

    Fuck that… I guess we really should go with LibreSSL after all.

    Speaking of, what is its current working state?

  • Kushan@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    6 months ago

    I doubt many of the commentators here used any of the deprecated methods to contribute to openssl.

    It’s one thing to talk about what’s good for open source, it’s quite another to practice it.

    • toastal@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      I doubt many commenters here have used a wheelchair ramp to access a public building. Guess we should just remove all those ramps since that accessibility doesn’t affect them. The barrier to entry for setting up a wheel chair ramp is more expensive than offering at least one non-corporate code contribution method.

      • Kushan@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        6 months ago

        Your analogy would fit if the deprecated methods didn’t have a higher barrier to entry than using GitHub.

        This is less like removing the wheelchair ramps and more like removing the steps at the back of the building.

        • toastal@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          6 months ago

          Maybe. Maybe if the back steps required an account with a US-based service owned by a publicly-traded megacorporation that is collecting your data as per the ToS just to enter. That’s a helluva barrier that should never be expected for free software.

          • Kushan@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            6 months ago

            And yet no actual contributor to openssl is losing sleep over this.