From: Alan Browne <alan.browne@FreelunchVideotron.ca>
Subject: Re: OpenSSL development (Heartbleed)
Date: Sat, 19 Apr 2014 11:41:20 -0400
Date: 2014-04-19T11:41:20-04:00 [thread overview]
Message-ID: <6aOdncE8jYG9BM_OnZ2dnUVZ_umdnZ2d@giganews.com> (raw)
In-Reply-To: <liu3dc$svl$1@speranza.aioe.org>
On 2014.04.19, 11:06 , Nasser M. Abbasi wrote:
> On 4/19/2014 9:31 AM, Alan Browne wrote:
>>
>> Good article in the NYT:
>>
>> http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-contradiction-in-the-web.html?ref=business
>>
>>
>
> Ok, I read the article. The main point seems to
> blame lack of funding from corporation that use
> OpenSSL which is developed as open source by
> volunteers.
>
> Some student submitted a patch on eve of 2011
> with the bug. The patch was "vetted" by a more
> senior developer later on, And so now we have it.
>
> I do not see anywhere, how is regression testing is
> done in this picture. Is there is lab full of networks
> and computers used to run thousands of regression
> tests each time a new software update is made? What
Testing?
Bwahahahaahahahahahahahaahahahaaaaaaaaaa aaaa aaaa a a
> was the result of these regression tests at that time?
> Where is the report on that? The problem seems to
> be with lack of test coverage and weak testing
> methodology used. May be due to lack of resourcesm
> or for other reasons.
Resources - or rather how they are employed - is the primary issue.
>
> Yes, big companies need to donate more money to
> openSSL, but also testing should be improved.
>
> Other than the problem with using C, more internal
> testing is needed by open source developers. (Even more,
> since they use C, and not Ada :).
Language is not the issue. The issue is a lack of defined requirements
which leads to design, documentation, testing, etc. For something as
critical as SSL one would hope that more care would go into change
management and testing. But that's a laugh in open source - everyone
wants to code - not document.
Someone receiving $2K a year (if that) is not going to spend much time
editing and revising requirements... and students working on it see
their code "working" and that is sufficient. Time to move on to getting
your paws up Susie's skirt or finding a job at McDonald's.
Apple went a different direction. Not especially for security reasons
but that they found OpenSSL bloated and no longer fitting their future
needs.
http://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed-bullet
But they still do everything in C variants and that is not going to change.
--
"Big data can reduce anything to a single number,
but you shouldn’t be fooled by the appearance of exactitude."
-Gary Marcus and Ernest Davis, NYT, 2014.04.07
next prev parent reply other threads:[~2014-04-19 15:41 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-19 14:31 OpenSSL development (Heartbleed) Alan Browne
2014-04-19 15:06 ` Nasser M. Abbasi
2014-04-19 15:41 ` Alan Browne [this message]
2014-04-19 15:36 ` Georg Bauhaus
2014-04-19 16:00 ` Yannick Duchêne (Hibou57)
2014-04-19 16:34 ` Georg Bauhaus
2014-04-19 17:06 ` Yannick Duchêne (Hibou57)
2014-04-19 19:13 ` Georg Bauhaus
2014-04-19 20:39 ` Yannick Duchêne (Hibou57)
2014-04-19 19:42 ` Alan Browne
2014-04-21 23:51 ` Randy Brukardt
2014-04-22 15:20 ` G.B.
2014-04-22 16:33 ` Dmitry A. Kazakov
2014-04-22 16:57 ` Simon Clubley
2014-04-22 19:53 ` Dmitry A. Kazakov
2014-04-22 20:49 ` Yannick Duchêne (Hibou57)
2014-04-23 5:38 ` Natasha Kerensikova
2014-04-23 7:30 ` Dmitry A. Kazakov
2014-04-23 7:40 ` Natasha Kerensikova
2014-04-23 8:04 ` Dmitry A. Kazakov
2014-04-23 8:20 ` Georg Bauhaus
2014-04-23 7:42 ` Egil H H
2014-04-23 8:06 ` Georg Bauhaus
2014-04-19 16:06 ` Alan Browne
2014-04-19 16:42 ` Georg Bauhaus
2014-04-19 16:59 ` Georg Bauhaus
2014-04-19 19:12 ` Alan Browne
2014-04-19 20:20 ` Georg Bauhaus
2014-04-19 20:53 ` Alan Browne
2014-04-19 21:10 ` [OT] OpenBSD, was: " Simon Clubley
2014-04-19 21:53 ` Alan Browne
2014-04-19 22:15 ` Nasser M. Abbasi
2014-04-19 22:34 ` Alan Browne
2014-04-20 8:17 ` Georg Bauhaus
2014-04-20 16:49 ` Alan Browne
2014-04-22 12:18 ` G.B.
2014-04-19 15:47 ` Yannick Duchêne (Hibou57)
2014-04-19 16:21 ` Alan Browne
2014-04-19 16:46 ` Georg Bauhaus
2014-04-19 19:22 ` Alan Browne
2014-04-19 20:33 ` Georg Bauhaus
2014-04-19 21:10 ` Alan Browne
2014-04-19 16:50 ` Yannick Duchêne (Hibou57)
2014-04-19 19:25 ` Alan Browne
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox