From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: border1.nntp.dca3.giganews.com!backlog3.nntp.dca3.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!newsfeed.news.ucla.edu!usenet.stanford.edu!news.kjsl.com!feeder.erje.net!eu.feeder.erje.net!newsfeed.fsmpi.rwth-aachen.de!uucp.gnuu.de!newsfeed.arcor.de!newsspool4.arcor-online.net!news.arcor.de.POSTED!not-for-mail Date: Sat, 19 Apr 2014 22:20:06 +0200 From: Georg Bauhaus User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: OpenSSL development (Heartbleed) References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com> <535297f1$0$6715$9b4e6d93@newsspool3.arcor-online.net> <5352a76f$0$6720$9b4e6d93@newsspool3.arcor-online.net> <3ZSdnd4A49AxV8_OnZ2dnUVZ_qSdnZ2d@giganews.com> In-Reply-To: <3ZSdnd4A49AxV8_OnZ2dnUVZ_qSdnZ2d@giganews.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Message-ID: <5352da76$0$6701$9b4e6d93@newsspool2.arcor-online.net> Organization: Arcor NNTP-Posting-Date: 19 Apr 2014 22:20:07 CEST NNTP-Posting-Host: b8d30b9a.newsspool2.arcor-online.net X-Trace: DXC=gdAGj==4LGl]l@YUW5NBknA9EHlD; 3Ycb4Fo<]lROoRa8kFejVhoGHV1S8c2`oeZehQ`M[Y^j X-Complaints-To: usenet-abuse@arcor.de X-Original-Bytes: 3113 Xref: number.nntp.dca.giganews.com comp.lang.ada:185888 Date: 2014-04-19T22:20:07+02:00 List-Id: On 19/04/14 21:12, Alan Browne wrote: > > No. Where OpenSSL is underfunded and has a population of maybe 4 programmers dedicated to it (the guy who created the bug not being one of the 4) released an important security breach upon the masses; > > Contrast with OpenSourced Linux which has a well (corporate) funded organization and has a lot more eyeballs on the code and hasn't (Linux itself) suffered any major or embarrassing problems. A comparison of one bug in one library to bugs in the amount of software that is "Enterprise Linux" does not seem balanced enough. Also, insofar as OpenSSL is well associated with open source Linux, it is likely that fixing Heartbleed-like bugs will be covered by {Redhat, ...} support. This adds to an argument that there actually is funding for OpenSSL etc., or, conversely, that there is never enough funding for all the software to be bug free. At least, that seems to be the argument of the articles: that funding and enterprise support is supposed to achieve so high a quality of software that it would have prevented Heartbleed etc. OTOH, and bringing this back to Ada, the CVE sites state quite openly that most of the issues have to do with int, malloc, computed pointers, and assumptions that are not reflected in all of these (overflow, say). If it is possible to make programmers use an Ada style fundamental type system instead, thus also better arrays and fewer pointers, this change would naturally reflect more of the assumptions. The conclusion can only be that this change makes the software so written as good as the assumptions. According to McCormick's findings, that's not nothing. The fundamentals do matter.