Releases Distribution Changes - OpenSSL Blog
openssl.org
I’d like to give you a heads-up about some changes we’re making at OpenSSL. We’re simplifying how you can get our software, and that means we’re …

We’re no longer using our old ftp, rsync, and git links for distributing OpenSSL. These were great in their day, but it’s time to move on to something better and safer. ftp://ftp.openssl.org and rsync://rsync.openssl.org are not available anymore. As of June 1, 2024, we’re also going to shut down https://ftp.openssl.org and git://git.openssl.org/openssl.git mirrors.

GitHub is becoming the main distributor of the OpenSSL releases.

    • lemmyreader@lemmy.mlOPEnglish
      71·
      2 months ago

      Yes, what would possibly go wrong ? And OpenSSL is only a small and unimportant project and hardly anyone depends on it, right ? Right ? I can dig that they want to get rid of some of their own services but completely giving up on their own git repository ? Let’s hope they do mirror the source code on Codeberg or sourcehut.

    • refalo@programming.dev
      81·
      2 months ago

      Read-only github mirror with read/write on a personal forge seems like one possible approach to make it more accessible/friendly without giving up any control to MS.

  • mark@programming.dev
    503·
    2 months ago

    These were great in their day, but it’s time to move on to something better and safer.

    How is it “safer” when contributing to the codebase or filing and discussing issues will now require creating an account and giving up personal information to one of the most privacy-invasive tech companies in the world? 😳

    • bitfucker@programming.dev
      131·
      2 months ago

      You are mistaking contributing and distributing.

      Edit to clarify: The blog is strictly speaking about the means of distributing the release tarball. Distributing the release tarball has nothing to do with how contribution is accepted or how issue is handled. What they say on the blog is also very clear IMHO and for a good reason. Maintaining infrastructure takes work. Works that if you didn’t do it right can be an attack vector. Do you guys remember xz? Do you read how the vulnerabilities came to be? Maintaining a single source of truth for the release tarball can help mitigate that. If one malicious actor can control even one of the distribution channels of the release tarball we get xz 2 electric boogaloo.

    • kevincox@lemmy.mlM
      7·
      2 months ago

      This announcement is just downloads which will continue to be available anonymously.

  • bitfucker@programming.dev
    231·
    2 months ago

    I think a lot of people here read the headine and think OpenSSL is moving everything to github and giving up everything else. It is not. They only moved the means of distributing the release tarball to github and stopped supporting the ftp and rsync. Do not confuse distribution and contribution/development.

  • squeakycat@lemmy.ml
    12·
    2 months ago

    Considering the absolutely devastating performance hits 3.x brings (and the apparent design failures that make it extremely difficult if not impossible to reclaim it) I wonder if openssl’s days are numbered. WolfSSL seems to be favorable to the HAProxy team. Hopefully that can get some traction.

    • lemmyreader@lemmy.mlOPEnglish
      11·
      2 months ago

      Good that you mention WolfSSL and that HAProxy team seems to like it. Years ago some Linux distributions made the switch to LibreSSL, but unfortunately that all (?) seems to have failed.

  • pastermil@sh.itjust.works
    7·
    2 months ago

    Fuck that… I guess we really should go with LibreSSL after all.

    Speaking of, what is its current working state?

  • Kushan@lemmy.worldEnglish
    61·
    2 months ago

    I doubt many of the commentators here used any of the deprecated methods to contribute to openssl.

    It’s one thing to talk about what’s good for open source, it’s quite another to practice it.

    • toastal@lemmy.ml
      1·
      2 months ago

      I doubt many commenters here have used a wheelchair ramp to access a public building. Guess we should just remove all those ramps since that accessibility doesn’t affect them. The barrier to entry for setting up a wheel chair ramp is more expensive than offering at least one non-corporate code contribution method.

      • Kushan@lemmy.worldEnglish
        1·
        2 months ago

        Your analogy would fit if the deprecated methods didn’t have a higher barrier to entry than using GitHub.

        This is less like removing the wheelchair ramps and more like removing the steps at the back of the building.

        • toastal@lemmy.ml
          1·
          2 months ago

          Maybe. Maybe if the back steps required an account with a US-based service owned by a publicly-traded megacorporation that is collecting your data as per the ToS just to enter. That’s a helluva barrier that should never be expected for free software.

          • Kushan@lemmy.worldEnglish
            11·
            2 months ago

            And yet no actual contributor to openssl is losing sleep over this.