From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: border1.nntp.dca.giganews.com!nntp.giganews.com!goblin1!goblin.stu.neva.ru!eternal-september.org!feeder.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Simon Clubley Newsgroups: comp.lang.ada Subject: [OT] OpenBSD, was: Re: OpenSSL development (Heartbleed) Date: Sat, 19 Apr 2014 21:10:23 +0000 (UTC) Organization: A noiseless patient Spider Message-ID: References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com> <535297f1$0$6715$9b4e6d93@newsspool3.arcor-online.net> <5352a76f$0$6720$9b4e6d93@newsspool3.arcor-online.net> <3ZSdnd4A49AxV8_OnZ2dnUVZ_qSdnZ2d@giganews.com> <5352da76$0$6701$9b4e6d93@newsspool2.arcor-online.net> Injection-Date: Sat, 19 Apr 2014 21:10:23 +0000 (UTC) Injection-Info: mx05.eternal-september.org; posting-host="e458ff8b81bc0c159989eb0e36c6e372"; logging-data="18555"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX185e17x0wM6D/qIs4h/rZPIK8TYRne4qPk=" User-Agent: slrn/0.9.8.1 (VMS/Multinet) Cancel-Lock: sha1:69cE5Z0Pm0HIOnD5Oi0QkglutO0= Xref: number.nntp.dca.giganews.com comp.lang.ada:185893 Date: 2014-04-19T21:10:23+00:00 List-Id: On 2014-04-19, Alan Browne wrote: > On 2014.04.19, 16:20 , Georg Bauhaus wrote: >> OTOH, and bringing this back to Ada, the CVE sites state quite >> openly that most of the issues have to do with int, malloc, >> computed pointers, and assumptions that are not reflected in all >> of these (overflow, say). > > QUOTE > Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, > has criticized the OpenSSL developers for writing their own memory > management routines and thereby circumventing OpenBSD C standard library > exploit countermeasures, saying "OpenSSL is not developed by a > responsible team." > ENDQUOTE > > Ironic that one Open team leader is criticizing another > Not if you know what Theo is like. :-) > But, he may be right. > > Would he subject his teams to a more rigorous process? To Ada? > Yes to the first; unknown on the second. OpenBSD has a reputation as a reasonably secure (by Unix standards) operating system precisely due to the auditing the OpenBSD team carries out. Note that this is a reputation based assessment; I don't have much direct experience with OpenBSD. Some reading you may find of interest: http://www.openbsd.org/security.html Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980s technology to a 21st century world