The OpenSSL Project has released a new roadmap that it hopes will counter concerns that it moves slowly and inconsistently.
The Heartbleed bug, which affected 66 percent of web servers, was found in OpenSSL technology in April. The OpenSSL Project calls its plans to improve the technology “aspirational”, and hopes that they will help deal with long standing issues.
“This document is intended to outline the OpenSSL project roadmap. It is a living document and is expected to change over time. Objectives and dates should be considered aspirational,” it said in its introduction.
“The OpenSSL project is increasingly perceived as slow-moving and insular. This roadmap will attempt to address this by setting out some objectives for improvement, along with defined timescales.”
The OpenSSL Project has identified eight major issues that it will deal with. These are: the backlog in its bug-tracking system; bad documentation; library complexity; inconsistent coding; a lack of code reviews; no clear release plan; no clear platform strategy; and no security strategy. It aims to tackle these through a range of changes.
Regarding clearing the bug-tracking backlog, it said: “A large proportion of these issues have been open for years. Some of these have in fact been dealt with and should be closed, but this has not been recorded in the system. Most however have not been looked at.”
To deal with these issues, the OpenSSL Project will address its processes, aiming to deal with new bug tickets within four days, for example. It will also define a clear coding standard and set out a clear policy on how it makes security fixes. The OpenSSL Project said it has started making changes already.
As well as these changes to existing processes the OpenSSL Project is also testing out new systems, including IPv6 support.
The work comes as the The Linux Foundations, which oversees the OpenSSL technology, hires two full-time staff to work on the system, in order to try and be more proactive at finding issues.