Re: [OT] OpenBSD, was: Re: OpenSSL development (Heartbleed)

[Alan Browne <alan.browne@FreelunchVideotron.ca>]

On 2014.04.19, 17:10 , Simon Clubley wrote:
> On 2014-04-19, Alan Browne <alan.browne@FreelunchVideotron.ca> wrote:
>> On 2014.04.19, 16:20 , Georg Bauhaus wrote:
>>> OTOH, and bringing this back to Ada, the CVE sites state quite
>>> openly that most of the issues have to do with int, malloc,
>>> computed pointers, and assumptions that are not reflected in all
>>> of these (overflow, say).
>>
>> QUOTE
>> Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects,
>> has criticized the OpenSSL developers for writing their own memory
>> management routines and thereby circumventing OpenBSD C standard library
>> exploit countermeasures, saying "OpenSSL is not developed by a
>> responsible team."
>> ENDQUOTE
>>
>> Ironic that one Open team leader is criticizing another <g>
>>
>
> Not if you know what Theo is like. :-)
>
>> But, he may be right.
>>
>> Would he subject his teams to a more rigorous process?  To Ada?
>>
>
> Yes to the first; unknown on the second.
>
> OpenBSD has a reputation as a reasonably secure (by Unix standards)
> operating system precisely due to the auditing the OpenBSD team
> carries out.
>
> Note that this is a reputation based assessment; I don't have much
> direct experience with OpenBSD.
>
> Some reading you may find of interest:
>
> 	http://www.openbsd.org/security.html

Seen it before.  I don't really believe their philosophy is forward 
thinking.  (Audit things to death and you will find bugs and improve the 
system) is not what the world should be doing.  It should be designing 
and engineering things so that they are not likely to have security 
holes and bugs in the first place.

In effect they are confirming that C is a terrible language to write 
anything requiring security and so it needs never ending vigilance.

So what they are doing is right for anything written in Cieve.

(Get it? C + Sieve = Cieve).

Not to say Ada results in bullet proof - but if used as intended there 
would be very few security holes of the many sorts that seem to pop up.


-- 
"Big data can reduce anything to a single number,
  but you shouldn’t be fooled by the appearance of exactitude."
      -Gary Marcus and Ernest Davis, NYT, 2014.04.07