A small team of well-known developers from the OpenBSD team is working on a fork of OpenSSL, to be named LibreSSL.
This group is going through the OpenSSL source code base and removing old/ancient distributions, reformatting the code to KNF (Kernel Normal Format), removing dead code, fixing bugs and improving the package documentation.
They’re aided by the freedom to abandon old cruft that will never again be used, but there’s a certain amount of enjoyment to be had in reading snarky commit comments such as:
ASN1_STRING cleanup - realloc has handled NULL since I had a mullet
and parachute pants ...
and
This only works on systems where calloc() does the integer overflow
check, but if your system doesn't do this, you need to ask your vendor
WHY THEY ARE 10 YEARS BEHIND IN BEST PRACTICE?
and
I'm glad to know that Ultrix CC has a bug optimizing switch() statements
lacking an explicit `case 0:' construct. But Ultrix has been dead for more than
15 years, really. Don't give it any reason to move out of its coffin.
and
12 years ago, old_des.h was used to provide compatibility with libdes.
The man page says "Compatibility des_ functions are provided for a short
while" and indeed even the original commit message says "The compatibility
functions will be removed in some future release, at the latest in
version 1.0." So here we are, a short while later.
Now I've only been an OpenBSD developer for 11 years, one year less than
this header has existed, but in that brief time, I've learned a thing or
two about deleting obsolete code. It doesn't delete itself. And worse,
people will continue using it until you force them onto a better path.
(To read more from the complete check-in history, see OpenBSD CVSweb)
I, for one, am glad to see a dedicated team look at this code base with the freedom to make it better, smaller, and auditable. I wish them the best, and have thrown a few simoleons into their kitty.