From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!weretis.net!feeder4.news.weretis.net!news.teledata-fn.de!newsfeed.arcor.de!newsspool4.arcor-online.net!news.arcor.de.POSTED!not-for-mail Date: Sat, 19 Apr 2014 18:34:13 +0200 From: Georg Bauhaus User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: OpenSSL development (Heartbleed) References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com> <535297f1$0$6715$9b4e6d93@newsspool3.arcor-online.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Message-ID: <5352a585$0$6707$9b4e6d93@newsspool3.arcor-online.net> Organization: Arcor NNTP-Posting-Date: 19 Apr 2014 18:34:13 CEST NNTP-Posting-Host: 855a8fb4.newsspool3.arcor-online.net X-Trace: DXC=1ob?LH>]JWOWDmlTRbh@=IMcF=Q^Z^V3H4Fo<]lROoRA8kFejVHoGHV1S8c2`Oe3:2RLFdNmI X-Complaints-To: usenet-abuse@arcor.de Xref: news.eternal-september.org comp.lang.ada:19428 Date: 2014-04-19T18:34:13+02:00 List-Id: On 19/04/14 18:00, Yannick Duchêne (Hibou57) wrote: > Le Sat, 19 Apr 2014 17:36:17 +0200, Georg Bauhaus a écrit: >> >> In between, reports of booing, bemoaning, and demanding; journalist >> tries to establish a scape goat (OpenSSL users don't fund!). >> No proof, no clear indication of causation, but alluding in style. >> By saying that OpenSSL is not a well funded project, she obviously >> tries to imply that this is (a) true in effect, > > That's a well established fact in the software area, so the assumption is honest enough. That Funding = Quality_Assurance is a repeatedly established belief in talking about the "software area", so the only thing one can honestly assume is that people are going to repeat it. All of: the discovery of a bug, the review process, if any, are empirically observable facts, to some extent, though not always publicly observable. The results will depend on the instruments of observation. The interpretation of results can be subject to review etc. (Rarely, if ever, do we get to see the "issues" that affect the most widespread OS of all, e.g.) Examples include the Heartbeat bug (OpenSSL), the GotoFail bug (Apple), the RTF bug, and several others on record at the CVE database, things known by prefixes "KB" and "HT", etc. >> and (b) that funding >> prevents bugs.(a): most of OpenSSL does exist only after work >> of payed employees. (b): See bugs discovered at the same time in well >> funded MS Word and MS Outlook projects, of similar reach. > > Obviously, funding does not make miracles but neither free as in free‑beer do. This says what doesn't produce miracles: both funding and not funding, hence everything. A rhetorically and politically usable statement, though pointless. It wasn't claimed that free or free-beer would would produce miracles! That claim would be journalistic implication. > However you are more likely to get people sticking to good methods, give time and energy for this, if they get something in return. Well, that again makes for a hypothesis that is so unspecific that it fits the same bill: correlation turned causal based on likelihood, ceteris paribus. E.g., what are the specifics in terms of work hours, pay, and project characteristics? Do we have control-group like evidence? Can you substantiate your claim a little?