[Cryptography] best practices considered bad term

[Jerry Leichter]

On Feb 2, 2015, at 11:13 PM, Viktor Dukhovni <cryptography at dukhovni.org> wrote:
> I am currently involved in two starkly different OSS projects (also
> others, but these two are extremes on the security track-record
> spectrum), the first since 2001 and the second only recently.
> 
> In the first project:
<excellent enumeration of some of the stark differences in development practices between projects>
> So indeed, just being open-source does not ensure security....
I've seen similar contrasts between *commercial* projects.

Unfortunately, the economics of the marketplace - whether it's a matter of the actual sales needed to keep a commercial project going, or the adoption and ongoing interest that provides the people and ongoing interest to keep an OSS project going - pushes hard against measures of internal quality and care.  Such projects are very few and far between.

Apple has figured out a way to sell *external* care and quality.  (Whether you, personally, like their designs isn't the point - enough people do, and are willing to pay to show that they do, to make it as successful as it is.)  Back in the heyday of Windows, no one (outside of a then-tiny and insignificant group of Apple groupies) believed that this could possibly matter.  "What people want is the cheapest possible PC."  Or phone, or whatever.  Time to market dominates all - first-mover advantage, yada yada yada,  You still hear those arguments made all the time when it comes to security.

So far no one has managed to find the way to market the qualities that emerge from solid internal design and care.

                                                        -- Jerry