The OpenSSL Project, gatekeepers for the widely used open source encryption software, has been widely criticized in the wake of the Heartbleed vulnerability, but the organization has responded by establishing a roadmap to address some of its longstanding issues and improve communication with its community.
Posted to the OpenSSL website this week, the roadmap enumerates some of the problems that have accrued within the organization over the years. The most pressing concerns deal with the lack of consistent documentation across the project -- with some bugs being fixed but never recorded in the tracking system -- and with documentation for certain areas of the OpenSSL software either being missing or wrong.
The codebase itself also suffers from being entirely too complex, according to the post, as the project expanded to several platforms that are now irrelevant, while numerous developers with varying coding styles worked on the software. The code also suffered from a lack of regular reviews.
"The current code layout is unusual and idiosyncratic and unlike any other open source software," said the OpenSSL Project post, which lays out a strategy to implement regular code reviews, reduce the complexity of the encryption library and to improve documentation practices.
Perhaps most pressing, the roadmap noted that the OpenSSL Project had never established a standard approach to how users are informed of security advisories -- a problem that surfaced when organizations around the world were left scrambling to address Heartbleed with no prior warning in most cases. Within two months, OpenSSL plans to offer documentation on how security fixes are produced and whether users will receive a pre-notification for future updates.
OpenSSL's multitude of issues may have arisen in large part due to the lack of funding the project has received. OpenSSL Software Foundation co-founder Steve Marquess recently indicated that prior to Heartbleed, the organization only received around $2,000 per year in donations and had never generated more than $1 million in annual revenue. As a result, few man-hours were being spent working on a project that underpinned the security of the Web.
A dozen of the largest tech companies in the world recently committed millions of dollars to assisting critical open-source projects like OpenSSL, which may help close that funding gap. Combined with its newly established roadmap, the OpenSSL Project seemingly looks set to undergo a needed overhaul.
"The OpenSSL project is increasingly perceived as slow-moving and insular," said the OpenSSL post. "This roadmap will attempt to address this by setting out some objectives for improvement, along with defined timescales."