[Cryptography] best practices considered bad term

[Peter Gutmann]

Viktor Dukhovni <cryptography at dukhovni.org> writes:

>Whether any given open-source project produces generally secure code requires
>some scrutiny of the development practices of that project.

Frequently it's not even "the project" but "the person who runs it", and that
transcends any open vs. closed-source issues.  I know of plenty of closed-
source projects for which the authors/maintainers take great pride in their
work, and it doesn't matter that it's closed-source because you know you're
getting a good product.  So a good maintainer is a lot more important than
whether it's closed or open source, or indeed most other religious issues
surrounding software development.  That's why I said many years ago that "The
Venema Development Method trumps the Vienna Development Method", i.e. what
matters is who develops something, not how it's developed.

(This then runs into the unfortunate situation that talent doesn't scale well,
which is an argument for not over-complicating security systems).

Peter.