this post was submitted on 02 May 2024
116 points (96.8% liked)

Open Source

31173 readers
80 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
116
OpenSSL goes GitHub only (openssl.org)
submitted 6 months ago* (last edited 6 months ago) by [email protected] to c/[email protected]
53 comments fedilink hide all child comments
 

We’re no longer using our old ftp, rsync, and git links for distributing OpenSSL. These were great in their day, but it’s time to move on to something better and safer. ftp://ftp.openssl.org and rsync://rsync.openssl.org are not available anymore. As of June 1, 2024, we’re also going to shut down https://ftp.openssl.org and git://git.openssl.org/openssl.git mirrors.

GitHub is becoming the main distributor of the OpenSSL releases.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 48 points 6 months ago (3 children)

These were great in their day, but it’s time to move on to something better and safer.

How is it "safer" when contributing to the codebase or filing and discussing issues will now require creating an account and giving up personal information to one of the most privacy-invasive tech companies in the world? 😳

[–] [email protected] 13 points 6 months ago* (last edited 6 months ago)

You are mistaking contributing and distributing.

Edit to clarify: The blog is strictly speaking about the means of distributing the release tarball. Distributing the release tarball has nothing to do with how contribution is accepted or how issue is handled. What they say on the blog is also very clear IMHO and for a good reason. Maintaining infrastructure takes work. Works that if you didn't do it right can be an attack vector. Do you guys remember xz? Do you read how the vulnerabilities came to be? Maintaining a single source of truth for the release tarball can help mitigate that. If one malicious actor can control even one of the distribution channels of the release tarball we get xz 2 electric boogaloo.

[–] [email protected] 7 points 6 months ago* (last edited 6 months ago)

This announcement is just downloads which will continue to be available anonymously.

[–] [email protected] 14 points 6 months ago

Agreed!