2014-04-14 10:02 GMT-03:00 Michael Wojcik <michael.woj...@microfocus.com>:
> > From: owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] On Behalf Of Roberto Spadim > > Sent: Sunday, 13 April, 2014 13:53 > > > > The problem isn't new features the problem is how to write tests that > should find security > > problems and tests to find bugs > > A false dichotomy, as anyone with any significant experience in software > development should recognize. Adding features increases the size of the > code base and so increases the number of possible bug points; and due to > combinatorial explosion, it greatly increases the number of cases to test. > yes, just one point before continue, openssl is very good, i use it a lot, and i love it no problem about a bug here, just correct the code, upgrade the lib and test the system if it's ok yes i know code security systems are complex and many things we can't cover before someone try to execute an "anormal" code > > As Steve Marquess pointed out, the issue is resources, plain and simple. > Yes, in the specific case of Heartbleed, it would have helped to have > rejected Robin Seggelmann's Heartbeat patch or review it more thoroughly. > But other security issues are far more subtle and difficult to find by > testing. > In retrospect, the bug in Seggelmann's code is obvious; I looked at the > diff for that commit and spotted it in seconds. But this is an area I have > experience with and so I'm accustomed to looking for input overruns in > untrusted data - it's the sort of thing you have to get used to doing when > writing Wireshark dissectors and the like. A similarly serious bug in > another area could easily escape me, and the same goes for all code > reviewers: we have classes of faults we've been trained to notice, and > others we're blind to. > > Steve's message, and his previous one about the no doubt temporary surge > in donations, has prompted me to talk to my management again about an OSF > support contract. I think this was raised years ago when we first started > including OpenSSL, in a small way, with a couple of products; but paying > money when it isn't required is often the sort of thing that falls by the > wayside, even when everyone has good intentions. > nice =) i think we are on the right way, openssl is very good, and a bug is "ok", like mysql some years ago... a user could login just retrying a wrong password, no problem, they found the bug, and "good guys" corrected the database, like here, the important part is, know the bug, and correct it, everyone can update the lib and we are ok again :) i really appreciate the openssl guys work, thanks guys > -- > Michael Wojcik > Technology Specialist, Micro Focus > > > > > This message has been scanned for malware by Websense. www.websense.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Roberto Spadim SPAEmpresarial Eng. Automação e Controle
