A small team of well-known developers from the OpenBSD team is working on a fork of OpenSSL, to be named LibreSSL.
This group is going through the OpenSSL source code base and removing old/ancient distributions, reformatting the code to KNF (Kernel Normal Format), removing dead code, fixing bugs and improving the package documentation.
They’re aided by the freedom to abandon old cruft that will never again be used, but there’s a certain amount of enjoyment to be had in reading snarky commit comments such as:
ASN1_STRING cleanup - realloc has handled NULL since I had a mullet and parachute pants ...
This only works on systems where calloc() does the integer overflow check, but if your system doesn't do this, you need to ask your vendor WHY THEY ARE 10 YEARS BEHIND IN BEST PRACTICE?
I'm glad to know that Ultrix CC has a bug optimizing switch() statements lacking an explicit `case 0:' construct. But Ultrix has been dead for more than 15 years, really. Don't give it any reason to move out of its coffin.
12 years ago, old_des.h was used to provide compatibility with libdes. The man page says "Compatibility des_ functions are provided for a short while" and indeed even the original commit message says "The compatibility functions will be removed in some future release, at the latest in version 1.0." So here we are, a short while later. Now I've only been an OpenBSD developer for 11 years, one year less than this header has existed, but in that brief time, I've learned a thing or two about deleting obsolete code. It doesn't delete itself. And worse, people will continue using it until you force them onto a better path.
(To read more from the complete check-in history, see OpenBSD CVSweb)
I, for one, am glad to see a dedicated team look at this code base with the freedom to make it better, smaller, and auditable. I wish them the best, and have thrown a few simoleons into their kitty.