From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: OpenSSL development (Heartbleed) Date: Tue, 22 Apr 2014 18:33:50 +0200 Organization: cbb software GmbH Message-ID: <19mxjybev4fc9.1fkxznem326v8$.dlg@40tude.net> References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com> <535297f1$0$6715$9b4e6d93@newsspool3.arcor-online.net> <5352a585$0$6707$9b4e6d93@newsspool3.arcor-online.net> <535688a0$0$6721$9b4e6d93@newsspool3.arcor-online.net> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: AuYlnUSfTZrfhAkRjyySpQ.user.speranza.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Complaints-To: abuse@aioe.org User-Agent: 40tude_Dialog/2.0.15.1 X-Notice: Filtered by postfilter v. 0.8.2 Xref: news.eternal-september.org comp.lang.ada:19495 Date: 2014-04-22T18:33:50+02:00 List-Id: On Tue, 22 Apr 2014 17:20:13 +0200, G.B. wrote: > On 22.04.14 01:51, Randy Brukardt wrote: >> "Georg Bauhaus" wrote in message >> news:5352a585$0$6707$9b4e6d93@newsspool3.arcor-online.net... >>> On 19/04/14 18:00, Yannick Duchêne (Hibou57) wrote: >> ... >>>> However you are more likely to get people sticking to good methods, give >>>> time and energy for this, if they get something in return. >>> >>> Well, that again makes for a hypothesis that is so unspecific >>> that it fits the same bill: correlation turned causal based on >>> likelihood, ceteris paribus. >>> E.g., what are the specifics in terms of work hours, pay, and >>> project characteristics? Do we have control-group like evidence? >> >> I can give you a couple of data points: >> First, the state of Ada standardization[...] > > Evidence, indeed! > Now given ISO/IEC 27000, a family of standards revolving > around security, and Heartbleed, what can anyone do to make > standards effecive? Properly designed standards, maybe? Let me ask a stupid question. What has a transport level protocol to do with the application level's servers (and clients)? If it really were a strictly transport level, no implementation could leak data out of higher levels. Right? > The money paid for the standardization of > security procedures seems not to have affected the source code > of one commercial security "procedure", OpenSSL. > If Heartbleed is characteristic of paid standardization's > actual outcome, then something is wrong somewhere. You must have software market in first place. Anything which comes free has no value. There is no market pressure to improve quality and functionality because there is no liability either monetary or legal. Neither the model of "intellectual property" nor the free software model is working to reach these goals, in the sense of an optimization problem. > Absurd, in fact. Nothing absurd. If C is selected in the process over Ada, there is a reason for this. And this reason (which is not lack of {} braces, as people used to think) influences any SW developing as well. We see the fruits, more to come... -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de