Docker

Nice bait.
equery d openssl | cut -d' ' -f1 | sed '/^$/d'app-arch/libarchive-3.2.1-r3app-office/libreoffice-5.1.4.2app-text/mupdf-1.9adev-lang/python-2.7.10-r1dev-lang/python-3.4.3-r1dev-libs/cyrus-sasl-2.1.26-r9dev-libs/libevent-2.0.22dev-perl/Net-SSLeay-1.720.0-r1dev-python/m2crypto-0.22.3-r4dev-qt/qtcore-4.8.6-r2dev-qt/qtnetwork-5.6.1dev-vcs/git-2.7.3-r1mail-client/mutt-1.5.24-r2media-video/ffmpeg-2.8.6net-irc/irssi-0.8.17net-libs/ldns-1.6.17net-libs/libtorrent-0.13.6net-libs/neon-0.30.1net-misc/curl-7.49.0net-misc/iputils-20151218net-misc/openssh-7.2_p2net-misc/wget-1.18net-nds/openldap-2.4.38-r2net-wireless/crda-3.18-r1net-wireless/wpa_supplicant-2.5-r1sys-fs/cryptsetup-1.6.5www-client/elinks-0.12_pre6-r2www-client/w3m-0.5.3-r5x11-base/xorg-server-1.17.4

Congratulations, you agreed with me. Did you even read that list, boy genuis?

I'll give 1/10, because I'm nice.

...

gr8 b8 m8

Suddenly I understand why there are so many vulnerabilities in OpenSSL. Thanks, user.
Implying that Math majors can write code.
Every Math major I've met has their head so far up their ass, I'm surprised they wrote an API they can use at all

...

math majors jump on the tech world because they're shit at math

...

/"""""""tech""""""/ indeed

Vulnerabilities discovered is not the same as vulnerabilities present. Also to pretend that something as important as openssl isn't being reamed with auditing compared to docker is completely disingenuous.

Sage for OP being willfully ignorant.

Docker uses a bunch of stuff written in C like every single kernel hook that it requires.

OpenSSL is legitimately one of the worst examples of C, it was so bad and cryptic, people just assumed it was okay because Red Hat was at the wheel.

The shock was that OpenSSL almost never merged code fixes, Heartbleed bug had a fix that was in their tree for YEARS but they never merged it.

The OpenBSD guys finally forked and audited it after hearbleed and found horrifying things just within the first 30 days.

I shit you not these things included:

Disabling your malloc

Has their own debugging malloc built in and never frees memory AND sends private info to logs

Faking randomness using your RSA key, just using strings in the source code like "This string gives entropy" and using the current time for entropy.

ifdef ifndef nestings up to 17 nests deep

Uses its own versions of standard lib functions that were much less secure and behaved differently

Adopted coding practices that made the lowest common denominator the default, like win16, dos and vms necessities being standard in modern posix and windows platforms

Upstreaming test code like big endian amd64 support(this doesn't exist)

Using a code standard so alien to everything else that it basically became its own language.

Hardcode numbers because visual C doesn't know sizeof

A full rundown is here:
youtube.com/watch?v=GnBbhXBDmwU
youtube.com/watch?v=WFMYeMNCcSY

opensslrampage.org/page/49

OpenBSD has 3 MLOC and has had 2 remote vulnerabilities, you can do it right.

It was well known in dev circles that OpenSSL was dogshit but everyone refused to switch to GnuTLS and there was a lot of FUD spread by the OpenBSD people about it at the time to keep people on OpenSSL. And so most people continued on with that mess with a license that isn't even compatible with their software which is a disaster still waiting to happen.

Saying switching to a new API will cause no one to adopt the new API is hardly fud.

We are truly in good hands

gnutls-openssl provided a compatibility layer for people that didn't want to change from OpenSSL's awful and dangerous API. But most people still didn't use GnuTLS, ignored those pointing out how bad OpenSSL's code was, and pretended (and still do) that the license is compatible with the GPL. Fuck them. They were warned and they have no right to act surprised now. And when some company pulls a SCO with the license issues they'll have no right to act surprised then, either.

Fair enough, I didn't know GnuTLS had a compat layer, LibreSSL is basically the same now, they have an internal sane api with a compat layer.

I guess they just really didn't want more GPL in their base?

Yeah, as the BSD devs are almost all paid today by companies using the BSDs to avoid the GPL. It's not the minor tribal autism of the '90s anymore, it's nasty stuff. Look deeper into the LLVM community, their motivations, and their sponsors for example.

LLVM is literally Apple, I don't think they're representative.

For people like the NetBSD, OpenBSD and Toybox they're just shitty at legal disputes and don't really care about if people take their shit because they're doing the code primarily for themselves.

Polite sage due to addendum

I think that accusation is entirely fair for FreeBSD and Illumnos(Maybe sans Open Indiana)

I've been using LLVM's source for some fun, and the license is basically "Do what you want", and is similar to the GPL with the exception that you don't have to provide source code. Yes, LLVM was developed by Apple, but since they've already put the code out there with a license that says "Do whatever you want", they can't really fuck around with it.

They sure can. If they decide they want to take it proprietary there's nothing stopping them. The old versions won't become proprietary, but suddenly the official version with most of the manpower and the reputation and the continuing bugfixes and development is proprietary.

Comparing it to the GPL like that is sort of correct, but misleading if you already know a bit about licenses. It's just a permissive license, equivalent to 3-clause BSD.

I can't think of any licenses that have more potential for fucking around that still qualify as open source and/or free software.

Oracle tried this and it didn't work.

OpenZFS is miles ahead of Oracle ZFS.

LibreOffice was promptly converted from Java to C++ and is doing better than ever.

DTrace is better.

Even when companies do fork like Sony, Netflix and Juniper for FreeBSD, they eventually come back and commit source because they don't want to maintain a fork that is ultimately less active than the community one.

fug, bump because I forgot to get rid of sage.

In the case of Oracle it's due to shitty management at least as much as due to making their software proprietary.

Exactly the same thing would happen if it were under any other license. They are the copyright holders and can re-license their future stuff any way the want to.

The GPL would do literally nothing in that scenario.

That's only when there's copyright assignment in a project.
If there's not, they have to rewrite every external contribution in their tree.

No, because they don't require copyright assignment. If LLVM were GPL-licensed, and I contributed code to it, they couldn't make it proprietary because I still own the copyright.

Not YOUR stuff, you can do whatever you want with your stuff, they can do whatever they want with theirs, what license they allow others is immaterial, the licensing terms applies to others, not to the copyright holder.

But their stuff depends on your stuff. They're not allowed to make their stuff proprietary unless they remove all GPL parts made by other people. That's typically enough to stop relicensing from being feasible.

Only if they are stupid enough to let GPL code to metastasize in their project instead of killing it in the bud like the cancer it is.

It's cancer because it doesn't let them be assholes?

Again: you were talking about a GPL licensed project, dumbass.
You can't fucking take others contributions and close it up, in that context, without copyright assignment.

Good morning, /neetneonaziechochamber/!

hi ballmer

Gno.
"Neo" is a buzzword that means almost nothing.
Looks like there are different opinions in this thread.