THE OPENSSL PROJECT has issued its first report card following the Heartbleed debacle, and it isn't pretty.
Although everyone expected problems following heavy criticism of the project after security flaws were discovered, the road map shows that problems existed at an organisational level too.
One of the main criticisms was that the project was not transparent enough, and the release of this report is a public relations move from an organisation that is willing to change.
Now overseen by the Core Infrastructure Initative (CII), a consortium of industry players led by The Linux Foundation, the document will also act as a road map for the OpenSSL project's two full time developers funded by the CII.
The document identifies eight areas where improvement is needed. These are the backlog in its bug-tracking system, poor documentation, over-complex library, inconsistent coding, lack of code reviews, lack of release plan, lack of clear strategy for the platform, and lack of security strategy.
As well as new service levels for bug reports and other improvements aimed at correcting some of the problems, the document also looks at ways to move the project forwards. At the top of the list is support for IPv6, but support for other platforms such as ARMv8, DANE and extended support for SSL_CONF also appear on the list.
Last week, Google announced plans for its own fork of the OpenSSL standard to be known as BoringSSL, which the company said it will integrate into Google products, but will also offer all code to the main OpenSSL and LibreSSL forks too. µ