[Cryptography] Apple and OpenSSL

Jerry Leichter leichter at lrw.com
Sat Apr 19 08:08:20 EDT 2014


On Apr 19, 2014, at 12:59 AM, Ben Laurie <ben at links.org> wrote:
> "Building its own security software meant that Apple and its
> developers were no longer captive to the external development issues
> and eccentricities related to the OpenSSL open source project, which
> despite its critical importance and broad use by the industry, was
> being funded through donations and was, incredibly, maintained by a
> very small team of just four core developers."
> 
> "Incredible". How could Apple have possibly helped with that? I can't imagine.
I suspect the "incredible" comment is from the website author.  Apple, like other successful software developers, knows that small teams are often better than large ones.  There are types of software that really need large teams - if you need to produce 500 different screens and interface with 300 different back ends, a team of 5 won't get you very far - but any tightly integrated single piece of software shouldn't require large numbers of people.  If you're developing something like SSL and you need a large team, you're doing something wrong - and I'm sure Apple knows that.

Whether *4* is an appropriate number of OpenSSL, I don't know.  Not having looked at the code base, I'd guess that 4 is somewhat low but 40 is too big.  Somewhere around 10 might be right during periods of intense activity (like now, where there's apparently a big push to clean up the code, get rid of old junk, eliminate every bug even suspected of being in there), but for maintenance, 4 might even make sense.  But, again, that's guesswork based on familiarity with the general functionality provided, not the actual codebase.

None of this has anything to do with Apple specifically.  The Apple-specific stuff in that quote rings true as a matter of corporate culture:  Apple, channeling Steve Jobs's experiences and fears (some say paranoia), has long had a culture that actively avoids being dependent on outsiders for anything deemed critical to Apple's success.  That's why they design their own CPU's (and there are rumors that they are planning to design their own baseband chips) as a prominent big-ticket example.  What's interesting in the quote - if it's true, and the evidence supports it - is that *Apple has decided that security is critical to its success*.  This is quite a change from their previous attitude, in which they relied on third parties to patch holes in critical security software, and were quite lackadaisical about getting the patches into the software they then repackaged and distributed to their customers.

The recent publication of their iOS security white paper is another example of this apparent change in direction.

Where it actually gets them, we'll have to wait and see.  After all, they only a month or two back had a major embarrassment with the "gotofail" bug, which they introduced themselves.  (Of course, there's nothing like such an embarrassment to really light the fire under efforts to improve the process.)

                                                        -- Jerry




More information about the cryptography mailing list