[Cryptography] bounded pointers in C
Nemo
nemo at self-evident.org
Sun Apr 20 21:51:08 EDT 2014
"Salz, Rich" <rsalz at akamai.com> writes:
> If OpenBSD accomplishes anything, and to my eyes that's still a pretty
> big if, it will be because OpenSSL gave them a source base to work
> from that has been in real-world use for more than 15 years.
Please, please, please say you are joking.
Have you actually LOOKED at the commits? "Garbage" is too kind a word
for the OpenSSL source. That fetid pile of bug-ridden, unauditable
excrement could be in "real-world use" for 50 years, and it would still
be a fetid pile of bug-ridden, unauditable excrement.
There is a lot of bad code in the "real world", because there are a lot
of bad programmers in the world. Regrettably, some have roles like
"Principal Engineer" or "Linux /dev/random maintainer".
But reality has a way of asserting itself in the end. Heartbleed is just
the latest and greatest in a long line of disasters in a laughable
implementation of a poorly-conceived protocol. More will surely follow.
It need not be like this. Some developers really are capable of writing
solid code, while others are not. Far too few understand this.
If you can look at the OpenSSL source and not feel a bit of vomit in
your mouth, then I do not know what to say to you. But I do know I want
you nowhere near any system I rely upon for my privacy.
- Nemo
https://self-evident.org/
More information about the cryptography
mailing list