Joe writes: > Which didn't happen, at least not for two years. It happened eventually, which is my point.
> I would suggest that for any software as critical as OpenSSL, more > than one pair of eyes would have been appropriate *before* release. I would suggest that critical projects such as OpenSSL need to practice a form of "dependecy management" analogous to "supply chain management": track dependency chains and periodically re-qualify each level. A full audit might not be possible but at least look closely enough to notice when a library is being supported by one overworked guy who is taking patches from random strangers. NOTE: this is just a suggestion. I don't claim to be any sort of security expert nor am I trying to tell anyone what to do. -- John Hasler j...@sugarbit.com Elmwood, WI USA
