We’re no longer using our old ftp, rsync, and git links for distributing OpenSSL. These were great in their day, but it’s time to move on to something better and safer. ftp://ftp.openssl.org and rsync://rsync.openssl.org are not available anymore. As of June 1, 2024, we’re also going to shut down https://ftp.openssl.org and git://git.openssl.org/openssl.git mirrors.

GitHub is becoming the main distributor of the OpenSSL releases.

  • UpperBroccoli
    link
    fedilink
    arrow-up
    103
    ·
    7 months ago

    Good idea, giving Microsoft control over every single open source project. I mean, what could go wrong, right?

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      69
      ·
      7 months ago

      Yes, what would possibly go wrong ? And OpenSSL is only a small and unimportant project and hardly anyone depends on it, right ? Right ? I can dig that they want to get rid of some of their own services but completely giving up on their own git repository ? Let’s hope they do mirror the source code on Codeberg or sourcehut.

        • lemmyreader@lemmy.mlOP
          link
          fedilink
          English
          arrow-up
          7
          ·
          7 months ago

          Well, yes. But let’s say the OpenSSL developers copy new changes of source code to GitHub, and something goes wrong after the copying (Think of a malicious attacker breaking in and changes some code), then all the people copying from that one download link will be in the same boat as well.

          • Gamma@beehaw.org
            link
            fedilink
            English
            arrow-up
            5
            ·
            edit-2
            7 months ago

            Any official mirrors would sync the changes anyway, it’s automatic

            Edit: Oh, I think I misunderstood your point. I agree that hosting the repos themselves would make it harder for randoms to maliciously introduce code

            • lemmyreader@lemmy.mlOP
              link
              fedilink
              English
              arrow-up
              5
              ·
              7 months ago

              I was trying to say that if the OpenSSL developers upload new source code to only GitHub and something goes wrong, even for example simply a mistake or failure by GitHub, then other users wanting to download will not have to wait for the OpenSSL developers to repair that problem when OpenSSL project would for example have mirrors on Codeberg or sourcehut or their own git server, the latter which they intend to deprecate.

              • Gamma@beehaw.org
                link
                fedilink
                English
                arrow-up
                3
                ·
                7 months ago

                If they were to set up an official mirror it would be automatic, so I don’t think there’s any real way to avoid that problem with their current plan. But you’re right! Sorry for the confusion

            • refalo@programming.dev
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              What is your definition of harder? I think bugs/breaches are even more likely on personal forges than github. Not that one should rely on github anyways…

            • toastal@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              7 months ago

              Microsoft GitHub is riddled with bugs, is down at least once a month, & throttles non-Western IPs.

              • Auzy@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                7 months ago

                What bugs? Be specific…

                Also, I can’t remember the last time Github has been offline for me (in the last 3.5 years of using it at work)

                • toastal@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  7 months ago

                  The one I ran into 2 days ago was a user approving a pull request while I was requesting their & other maintainers review. It canceled their approval & I had to fetch them to reapprove since in that project no-green-checkmark-no-merge. It should not have erased their approval.

                  I bet you live in the West. My daytime, there are heaps of outages.

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      7
      ·
      7 months ago

      Read-only github mirror with read/write on a personal forge seems like one possible approach to make it more accessible/friendly without giving up any control to MS.