From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 10.58.22.166 with SMTP id e6mr14973036vef.6.1397944441243; Sat, 19 Apr 2014 14:54:01 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!peer02.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!m5no3406349qaj.1!news-out.google.com!dz10ni15555qab.1!nntp.google.com!Xl.tags.giganews.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local2.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail NNTP-Posting-Date: Sat, 19 Apr 2014 16:54:00 -0500 Date: Sat, 19 Apr 2014 17:53:59 -0400 From: Alan Browne User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: [OT] OpenBSD, was: Re: OpenSSL development (Heartbleed) References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com> <535297f1$0$6715$9b4e6d93@newsspool3.arcor-online.net> <5352a76f$0$6720$9b4e6d93@newsspool3.arcor-online.net> <3ZSdnd4A49AxV8_OnZ2dnUVZ_qSdnZ2d@giganews.com> <5352da76$0$6701$9b4e6d93@newsspool2.arcor-online.net> In-Reply-To: Message-ID: X-Usenet-Provider: http://www.giganews.com X-Trace: sv3-4UTGM88Ehv/Bdn8crtO+lG7Vug5jn87A+WPr4uYlI77PztKBmPOGi7EzBol/+fKfCxZVWfa3wzn/iMc!42iLwfqhEHIahjuDIpFdJnoEPUAyJuTH1gZI5tWLbpzX0Fbvty971CXsWByvg0F/NxKqqSnmfQ== X-Complaints-To: abuse@giganews.com X-DMCA-Notifications: http://www.giganews.com/info/dmca.html X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly X-Postfilter: 1.3.40 X-Original-Bytes: 3837 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable X-Received-Bytes: 4140 X-Received-Body-CRC: 2851280931 Xref: news.eternal-september.org comp.lang.ada:19459 Date: 2014-04-19T17:53:59-04:00 List-Id: On 2014.04.19, 17:10 , Simon Clubley wrote: > On 2014-04-19, Alan Browne wrote: >> On 2014.04.19, 16:20 , Georg Bauhaus wrote: >>> OTOH, and bringing this back to Ada, the CVE sites state quite >>> openly that most of the issues have to do with int, malloc, >>> computed pointers, and assumptions that are not reflected in all >>> of these (overflow, say). >> >> QUOTE >> Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects,= >> has criticized the OpenSSL developers for writing their own memory >> management routines and thereby circumventing OpenBSD C standard libra= ry >> exploit countermeasures, saying "OpenSSL is not developed by a >> responsible team." >> ENDQUOTE >> >> Ironic that one Open team leader is criticizing another >> > > Not if you know what Theo is like. :-) > >> But, he may be right. >> >> Would he subject his teams to a more rigorous process? To Ada? >> > > Yes to the first; unknown on the second. > > OpenBSD has a reputation as a reasonably secure (by Unix standards) > operating system precisely due to the auditing the OpenBSD team > carries out. > > Note that this is a reputation based assessment; I don't have much > direct experience with OpenBSD. > > Some reading you may find of interest: > > http://www.openbsd.org/security.html Seen it before. I don't really believe their philosophy is forward=20 thinking. (Audit things to death and you will find bugs and improve the = system) is not what the world should be doing. It should be designing=20 and engineering things so that they are not likely to have security=20 holes and bugs in the first place. In effect they are confirming that C is a terrible language to write=20 anything requiring security and so it needs never ending vigilance. So what they are doing is right for anything written in Cieve. (Get it? C + Sieve =3D Cieve). Not to say Ada results in bullet proof - but if used as intended there=20 would be very few security holes of the many sorts that seem to pop up. --=20 "Big data can reduce anything to a single number, but you shouldn=92t be fooled by the appearance of exactitude." -Gary Marcus and Ernest Davis, NYT, 2014.04.07