From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 10.50.50.211 with SMTP id e19mr1291265igo.4.1397203199980; Fri, 11 Apr 2014 00:59:59 -0700 (PDT) X-Received: by 10.140.50.83 with SMTP id r77mr11228qga.15.1397203199948; Fri, 11 Apr 2014 00:59:59 -0700 (PDT) Path: border1.nntp.dca3.giganews.com!backlog3.nntp.dca3.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!l13no5488286iga.0!news-out.google.com!du2ni6534qab.0!nntp.google.com!cm18no1774298qab.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Fri, 11 Apr 2014 00:59:59 -0700 (PDT) In-Reply-To: <1ljwj8f.1wqbhvuabsdw1N%csampson@inetworld.net> Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=195.182.34.254; posting-account=bMuEOQoAAACUUr_ghL3RBIi5neBZ5w_S NNTP-Posting-Host: 195.182.34.254 References: <1ljwj8f.1wqbhvuabsdw1N%csampson@inetworld.net> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: <15982110-dc30-4949-9d70-f00acf71a832@googlegroups.com> Subject: Re: Heartbleed From: Maciej Sobczak Injection-Date: Fri, 11 Apr 2014 07:59:59 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Original-Bytes: 3401 Xref: number.nntp.dca.giganews.com comp.lang.ada:185678 Date: 2014-04-11T00:59:59-07:00 List-Id: W dniu pi=C4=85tek, 11 kwietnia 2014 04:39:18 UTC+2 u=C5=BCytkownik Charles= H. Sampson napisa=C5=82: > According to Wikipedia, the Heartbleed bug in OpenSSL is caused by > two errors: Lack of bounds checking and failure to verify that the > heartbeat request was valid. Whom does one express one's indignation to? The following page answers your question: http://www.openssl.org/source/license.html The part written in CAPITAL LETTERS is specifically focused on this. > The insistence of many in our "profession" on using C and its decendents > is the reason I qualify the word "profession" when writing about > software developers. Every general statement has some exceptions. Even though *in general* you a= re right, in this particular case things work a bit differently. OpenSSL is= ntended as a common component that is used by everybody else. In order to = achieve this you need to choose the technology that is a common denominator= , both in terms of the ability to link with it and in terms of the availabi= lity of toolchains. Now, you might argue that is is possible to write the library in Ada in suc= h a way that it can be reused from other languages, it is not easy to do so= , especially if you take into account the (un)availability of language runt= ime. The biggest issue, however, is the availability of compilers. Saying that this stuff should have been written in Ada is pointless. > Acting on a message without validating it is > equally incomprenhensible to me. That's right. > For the latter, someone needs a severe rebuke on his next > performance review, at the least. I am not aware of performance reviews for people who voluntarily contribute= on their free time. Not sure if that was the case for this particular piec= e of code, but anyway, read the license again. The fact that somebody wrote= crappy piece of code is part of the whole problem - the other part is that= we (yes, the whole world) choose to use it. Who is to blame? > It so happens that for the last project I worked on, I was > responsible for TCP/IP communication. Put it in your CV, then. --=20 Maciej Sobczak * http://www.msobczak.com * http://www.inspirel.com