Re: OpenSSL development (Heartbleed)

[Alan Browne <alan.browne@FreelunchVideotron.ca>]

On 2014.04.19, 16:20 , Georg Bauhaus wrote:
> On 19/04/14 21:12, Alan Browne wrote:
>>
>> No.  Where OpenSSL is underfunded and has a population of maybe 4
>> programmers dedicated to it (the guy who created the bug not being one
>> of the 4) released an important security breach upon the masses;
>>
>> Contrast with OpenSourced Linux which has a well (corporate) funded
>> organization and has a lot more eyeballs on the code and hasn't (Linux
>> itself) suffered any major or embarrassing problems.
>
> A comparison of one bug in one library to bugs in the amount of
> software that is "Enterprise Linux"  does not seem balanced
> enough.

I was simply refuting that the 2nd article was the "same thing" as the 
first.  The 2nd pointed out two cases.


>       Also, insofar as OpenSSL is well associated with
> open source Linux, it is likely that fixing Heartbleed-like
> bugs will be covered by {Redhat, ...} support. This adds to
> an argument that there actually is funding for OpenSSL etc.,
> or, conversely, that there is never enough funding for all the
> software to be bug free.

OpenSSL appears from these reports to be "out on the limb" away from the 
more richly supported trunk.

>   At least, that seems to be the argument of the articles:
> that funding and enterprise support is supposed to achieve
> so high a quality of software that it would have prevented
> Heartbleed etc.

Reduced the likelihood, anyway.

Truly, it would be better if requirements were set and then the s/w 
designed, nay, engineered, to meet the requirements.  One day perhaps.

But until someone (an entity) seizes control of the release process, 
there will be no engineering to a level that would prevent these sorts 
of problems.

This is not the last.

> OTOH, and bringing this back to Ada, the CVE sites state quite
> openly that most of the issues have to do with int, malloc,
> computed pointers, and assumptions that are not reflected in all
> of these (overflow, say).

QUOTE
Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, 
has criticized the OpenSSL developers for writing their own memory 
management routines and thereby circumventing OpenBSD C standard library 
exploit countermeasures, saying "OpenSSL is not developed by a 
responsible team."
ENDQUOTE

Ironic that one Open team leader is criticizing another <g>

But, he may be right.

Would he subject his teams to a more rigorous process?  To Ada?


>   If it is possible to make programmers use an Ada style fundamental
> type system instead, thus also better arrays and fewer pointers,
> this change would naturally reflect more of the assumptions. The
> conclusion can only be that this change makes the software so written
> as good as the assumptions. According to McCormick's findings,
> that's not nothing. The fundamentals do matter.

Of course they do.

Now, do you really think the industry will change to something more 
formalized and requirements driven?  Use Ada as a fundamental building 
block of it?

-- 
"Big data can reduce anything to a single number,
  but you shouldn’t be fooled by the appearance of exactitude."
      -Gary Marcus and Ernest Davis, NYT, 2014.04.07