From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
Path: 
 backlog4.nntp.dca3.giganews.com!border2.nntp.dca.giganews.com!nntp.giganews.com!newspeer1.nac.net!feeder.erje.net!eu.feeder.erje.net!news.stack.nl!aioe.org!.POSTED!not-for-mail
From: "Nasser M. Abbasi" <nma@12000.org>
Newsgroups: comp.lang.ada
Subject: Re: OpenSSL development (Heartbleed)
Date: Sat, 19 Apr 2014 10:06:24 -0500
Organization: Aioe.org NNTP Server
Message-ID: <liu3dc$svl$1@speranza.aioe.org>
References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com>
Reply-To: nma@12000.org
NNTP-Posting-Host: 7gvRUE2kI2ecyAJ6lhEzgg.user.speranza.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Complaints-To: abuse@aioe.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.4.0
X-Notice: Filtered by postfilter v. 0.8.2
Xref: number.nntp.dca.giganews.com comp.lang.ada:185854
Date: 2014-04-19T10:06:24-05:00
List-Id: <comp.lang.ada>

On 4/19/2014 9:31 AM, Alan Browne wrote:
>
> Good article in the NYT:
>
> http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-contradiction-in-the-web.html?ref=business
>

Ok, I read the article. The main point seems to
blame lack of funding from corporation that use
OpenSSL which is developed as open source by
volunteers.

Some student submitted a patch on eve of 2011
with the bug. The patch was "vetted" by a more
senior developer later on, And so now we have it.

I do not see anywhere, how is regression testing is
done in this picture. Is there is lab full of networks
and computers used to run thousands of regression
tests each time a new software update is made? What
was the result of these regression tests at that time?
Where is the report on that? The problem seems to
be with lack of test coverage and weak testing
methodology used. May be due to lack of resourcesm
or for other reasons.

Yes, big companies need to donate more money to
openSSL, but also testing should be improved.

Other than the problem with using C, more internal
testing is needed by open source developers. (Even more,
since they use C, and not Ada :).

--Nasser