Google's BoringSSL should help the company better manage things

Jun 23, 2014 07:30 GMT  ·  By

Google has taken the OpenSSL codebase and has decided to fork it into a new project that it calls BoringSSL.

While the name may make it seem like a prank, it’s far from it, actually. The company’s Senior Software Engineer Adam Langley explains the decision at length in a blog post.

Up until now, Google took OpenSSL and rebased the custom patches it created with each new release of the toolkit. From here on out, however, Google will integrate these patches into BoringSSL and bring over any OpenSSL updates that are implemented.

“We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL’s guarantee of API and ABI stability and many of them are a little too experimental,” said Langley.

He added that as Android, Chrome and other Google products have started to need some subset of these patches, things have become very complex and the effort to keep all of them straight across multiple code bases is starting to be too much, even for the largest Internet company in the world.

BoringSSL doesn’t aim to be a replacement for OpenSSL as an open-source project and Google won’t be giving up on the latter either. In fact, Google promises to continue sending bug fixes when they’re discovered, while also importing changes from upstream. The funding for the Core Infrastructure Initiative and the OpenBSD Foundation will continue.

OpenBSD has its own OpenSSL fork called LibReSSL, which was created earlier this year. Theo de Raadt, founder and leader of the project, welcomed Google’s new efforts.

“I suspect everyone working on LibReSSL is happy to hear the news about BoringSSL. Choice is good!! Their priority is on safety, not on ABI compatibility. Just like us,” he said in a short message.

He added that over time, Google’s version will also become “reduced API,” since they require less legacy application support. He believes that this will eventually give LibReSSL the chance to head into the same direction, “if the applications are willing.”

The changes that Google is implementing should also come in handy to avoid future catastrophic security issues such as Heartbleed. By taking each new update from OpenSSL and implementing it into BoringSSL, the company’s engineers must go through everything with a fine comb, which should translate into higher security. Of course, this isn’t guaranteed, but it is quite likely that it will happen, especially since it was Google who originally discovered Heartbleed.