I know you didn't say this, but I do think its important to dispel the notion that this is somehow a "response" to LibreSSL. As far as I can tell, it's not; the two initaitives started in parallel. The Linux Foundation started reaching out to companies to join them in supporting projects that are important and not necessarily visible -- starting with OpenSSL -- at the same time the LibreSSL project was starting.
When I asked Jim Zemlin (Linux Foundation executive director) about LibreSSL yesterday, he wasn't familiar enough with the project -- but was certainly open to the idea of all projects working together (or even having CII support something like LibreSSL if it had the type of adoption that would make it a core part of the open web).
Even if this project had been in place when Theo and the OpenBSD guys forked OpenSSL, I still think they would have forked it and started LibreSSL. After all, they have their own ideas about crypto and security and their own plans for how to run a project.
And even assuming LibreSSL can become a true drop-in replacement for all existing OpenSSL installations (which I truly doubt), that doesn't mean it will. Look at MySQL vs. MariaDB. Maria is finally gaining default status in important projects, but it's hardly replaced MySQL and realistically speaking, it probably won't.
So even if you want to argue that LibreSSL is going to do a better job with fixing OpenSSL's flaws (which may or may not be true), the reality is, OpenSSL is not going to go away.
Given that reality, doesn't it make sense to at least have the biggest stakeholders in the project offer it support so that the small dev team can stop with the contract work and work on making OpenSSL better?
OpenSSL needs a competitor to keep them honest, because clearly they've failed at their duty to push back on TLS WG features, failed at deprecating old code (Tandem multiplication, really?) and failed at writing secure code.
Not in this case. There's an implied duty when you represent your work as being suitable for critical uses such as securing the world's communications.
I know you didn't say this, but I do think its important to dispel the notion that this is somehow a "response" to LibreSSL. As far as I can tell, it's not; the two initaitives started in parallel. The Linux Foundation started reaching out to companies to join them in supporting projects that are important and not necessarily visible -- starting with OpenSSL -- at the same time the LibreSSL project was starting.
When I asked Jim Zemlin (Linux Foundation executive director) about LibreSSL yesterday, he wasn't familiar enough with the project -- but was certainly open to the idea of all projects working together (or even having CII support something like LibreSSL if it had the type of adoption that would make it a core part of the open web).
Even if this project had been in place when Theo and the OpenBSD guys forked OpenSSL, I still think they would have forked it and started LibreSSL. After all, they have their own ideas about crypto and security and their own plans for how to run a project.
And even assuming LibreSSL can become a true drop-in replacement for all existing OpenSSL installations (which I truly doubt), that doesn't mean it will. Look at MySQL vs. MariaDB. Maria is finally gaining default status in important projects, but it's hardly replaced MySQL and realistically speaking, it probably won't.
So even if you want to argue that LibreSSL is going to do a better job with fixing OpenSSL's flaws (which may or may not be true), the reality is, OpenSSL is not going to go away.
Given that reality, doesn't it make sense to at least have the biggest stakeholders in the project offer it support so that the small dev team can stop with the contract work and work on making OpenSSL better?