In article <[EMAIL PROTECTED]> you write: >Both OpenSSL and Apache programmers did this, in carefully reviewed >code which was written in response to a security report. They simply >didn't know that there is a potential problem. The reason for this >gap in knowledge isn't quite clear to me.
Well, it's reasonably clear to me. I've been reviewing code for the OpenBSD project, it's incredible the number of errors you can find in code which is supposed to - have been written by competent programmers; - have been reviewed by tens of people. Quite simply, formal code reviews in free software don't work. The `many eyes' paradigm is a fallacy. Ten persons can look at the same code and fail to notice a problem if they don't look for the right thing. A lot of people don't even think about overflows when they look at arithmetic, there are a lot of integer overflows out there. I still routinely find off-by-one accesses in buffers, some of them quite obvious. The only reasons I see them is because my malloc can put allocations on page boundaries, and thus the program barfs here, and not on other machines. A lot of people don't know about the peculiarities of C signed arithmetic. A lot of `portable' code that uses C arithmetic buries such peculiarities under tons of macros and typedefs such that it is really hard to figure out what's going on even if you understand the issues. >From past experience, both Apache and OpenSSL are very bad in that regards. Bottom-line is, if it passes tests on major architectures and major OSes, it's very unlikely that someone will notice something is amiss, and that the same someone will have the knowledge to fix it. If it passes all practical tests, but is incorrect, from a language point of view, it is even more unlikely.
