From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 10.182.135.200 with SMTP id pu8mr8507005obb.24.1397922080121; Sat, 19 Apr 2014 08:41:20 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!news.glorb.com!c1no609209igq.0!news-out.google.com!dz10ni15179qab.1!nntp.google.com!Xl.tags.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local2.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail NNTP-Posting-Date: Sat, 19 Apr 2014 10:41:19 -0500 Date: Sat, 19 Apr 2014 11:41:20 -0400 From: Alan Browne User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: OpenSSL development (Heartbleed) References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com> In-Reply-To: Message-ID: <6aOdncE8jYG9BM_OnZ2dnUVZ_umdnZ2d@giganews.com> X-Usenet-Provider: http://www.giganews.com X-Trace: sv3-qrmKQki8AlK1wI/Y7HLC2j+rAEhqQBTcNDj+JL6nXUR2IqZO62Y7GRpdoMWQCeXUk/5DBuHU7Gzi2X8!pRM7yAbib14k6TTEhagHhxaRHD0xlHx1faXiM2B5oQL+553xLuhT5rVmVfyLVPazPnyb97zsuw== X-Complaints-To: abuse@giganews.com X-DMCA-Notifications: http://www.giganews.com/info/dmca.html X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.40 X-Original-Bytes: 3807 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable Xref: news.eternal-september.org comp.lang.ada:19420 Date: 2014-04-19T11:41:20-04:00 List-Id: On 2014.04.19, 11:06 , Nasser M. Abbasi wrote: > On 4/19/2014 9:31 AM, Alan Browne wrote: >> >> Good article in the NYT: >> >> http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-c= ontradiction-in-the-web.html?ref=3Dbusiness >> >> > > Ok, I read the article. The main point seems to > blame lack of funding from corporation that use > OpenSSL which is developed as open source by > volunteers. > > Some student submitted a patch on eve of 2011 > with the bug. The patch was "vetted" by a more > senior developer later on, And so now we have it. > > I do not see anywhere, how is regression testing is > done in this picture. Is there is lab full of networks > and computers used to run thousands of regression > tests each time a new software update is made? What Testing? Bwahahahaahahahahahahahaahahahaaaaaaaaaa aaaa aaaa a a > was the result of these regression tests at that time? > Where is the report on that? The problem seems to > be with lack of test coverage and weak testing > methodology used. May be due to lack of resourcesm > or for other reasons. Resources - or rather how they are employed - is the primary issue. > > Yes, big companies need to donate more money to > openSSL, but also testing should be improved. > > Other than the problem with using C, more internal > testing is needed by open source developers. (Even more, > since they use C, and not Ada :). Language is not the issue. The issue is a lack of defined requirements=20 which leads to design, documentation, testing, etc. For something as=20 critical as SSL one would hope that more care would go into change=20 management and testing. But that's a laugh in open source - everyone=20 wants to code - not document. Someone receiving $2K a year (if that) is not going to spend much time=20 editing and revising requirements... and students working on it see=20 their code "working" and that is sufficient. Time to move on to getting = your paws up Susie's skirt or finding a job at McDonald's. Apple went a different direction. Not especially for security reasons=20 but that they found OpenSSL bloated and no longer fitting their future=20 needs. http://appleinsider.com/articles/14/04/18/how-apple-dodged-the-heartbleed= -bullet But they still do everything in C variants and that is not going to chang= e. --=20 "Big data can reduce anything to a single number, but you shouldn=92t be fooled by the appearance of exactitude." -Gary Marcus and Ernest Davis, NYT, 2014.04.07