From: Georg Bauhaus <rm-host.bauhaus@maps.futureapps.de>
Subject: Re: OpenSSL development (Heartbleed)
Date: Sat, 19 Apr 2014 22:20:06 +0200
Date: 2014-04-19T22:20:07+02:00 [thread overview]
Message-ID: <5352da76$0$6701$9b4e6d93@newsspool2.arcor-online.net> (raw)
In-Reply-To: <3ZSdnd4A49AxV8_OnZ2dnUVZ_qSdnZ2d@giganews.com>
On 19/04/14 21:12, Alan Browne wrote:
>
> No. Where OpenSSL is underfunded and has a population of maybe 4 programmers dedicated to it (the guy who created the bug not being one of the 4) released an important security breach upon the masses;
>
> Contrast with OpenSourced Linux which has a well (corporate) funded organization and has a lot more eyeballs on the code and hasn't (Linux itself) suffered any major or embarrassing problems.
A comparison of one bug in one library to bugs in the amount of
software that is "Enterprise Linux" does not seem balanced
enough.
Also, insofar as OpenSSL is well associated with
open source Linux, it is likely that fixing Heartbleed-like
bugs will be covered by {Redhat, ...} support. This adds to
an argument that there actually is funding for OpenSSL etc.,
or, conversely, that there is never enough funding for all the
software to be bug free.
At least, that seems to be the argument of the articles:
that funding and enterprise support is supposed to achieve
so high a quality of software that it would have prevented
Heartbleed etc.
OTOH, and bringing this back to Ada, the CVE sites state quite
openly that most of the issues have to do with int, malloc,
computed pointers, and assumptions that are not reflected in all
of these (overflow, say).
If it is possible to make programmers use an Ada style fundamental
type system instead, thus also better arrays and fewer pointers,
this change would naturally reflect more of the assumptions. The
conclusion can only be that this change makes the software so written
as good as the assumptions. According to McCormick's findings,
that's not nothing. The fundamentals do matter.
next prev parent reply other threads:[~2014-04-19 20:20 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-19 14:31 OpenSSL development (Heartbleed) Alan Browne
2014-04-19 15:06 ` Nasser M. Abbasi
2014-04-19 15:41 ` Alan Browne
2014-04-19 15:36 ` Georg Bauhaus
2014-04-19 16:00 ` Yannick Duchêne (Hibou57)
2014-04-19 16:34 ` Georg Bauhaus
2014-04-19 17:06 ` Yannick Duchêne (Hibou57)
2014-04-19 19:13 ` Georg Bauhaus
2014-04-19 20:39 ` Yannick Duchêne (Hibou57)
2014-04-19 19:42 ` Alan Browne
2014-04-21 23:51 ` Randy Brukardt
2014-04-22 15:20 ` G.B.
2014-04-22 16:33 ` Dmitry A. Kazakov
2014-04-22 16:57 ` Simon Clubley
2014-04-22 19:53 ` Dmitry A. Kazakov
2014-04-22 20:49 ` Yannick Duchêne (Hibou57)
2014-04-23 5:38 ` Natasha Kerensikova
2014-04-23 7:30 ` Dmitry A. Kazakov
2014-04-23 7:40 ` Natasha Kerensikova
2014-04-23 8:04 ` Dmitry A. Kazakov
2014-04-23 8:20 ` Georg Bauhaus
2014-04-23 7:42 ` Egil H H
2014-04-23 8:06 ` Georg Bauhaus
2014-04-19 16:06 ` Alan Browne
2014-04-19 16:42 ` Georg Bauhaus
2014-04-19 16:59 ` Georg Bauhaus
2014-04-19 19:12 ` Alan Browne
2014-04-19 20:20 ` Georg Bauhaus [this message]
2014-04-19 20:53 ` Alan Browne
2014-04-19 21:10 ` [OT] OpenBSD, was: " Simon Clubley
2014-04-19 21:53 ` Alan Browne
2014-04-19 22:15 ` Nasser M. Abbasi
2014-04-19 22:34 ` Alan Browne
2014-04-20 8:17 ` Georg Bauhaus
2014-04-20 16:49 ` Alan Browne
2014-04-22 12:18 ` G.B.
2014-04-19 15:47 ` Yannick Duchêne (Hibou57)
2014-04-19 16:21 ` Alan Browne
2014-04-19 16:46 ` Georg Bauhaus
2014-04-19 19:22 ` Alan Browne
2014-04-19 20:33 ` Georg Bauhaus
2014-04-19 21:10 ` Alan Browne
2014-04-19 16:50 ` Yannick Duchêne (Hibou57)
2014-04-19 19:25 ` Alan Browne
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox