On Mon, Apr 28, 2014 at 06:48:07AM -0500, David Noel wrote:
>
> [snip a bunch of stuff]
Great. I'll start looking at stuff this week, then probably ping you
off-list to ask questions.
Now I just need to add a note about this to my todo-queue so I don't
make a liar of myself.
at "variable" has been initialized by that point in the
> code?
I do believe you are right . . . at least until the code needs to be
edited for some reason.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
___
freebs
does not have at least 10% assert
> > lines, you're not really serious about security.
>
> People get really pissed off when I put asserts into OpenSSL.
>
> Perhaps they'll have a different opinion now.
. . . or maybe we'll all end up using LibreSSL in the not-
atch it.
Would you be willing to put the time into training up someone to do that
work? I'm a bit of a fixer-upper, but I am willing and eager to
contribute.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
___
freebsd-
es.
While I'm letting myself get embroiled in this, I have a question:
Do you claim that the Clang static analyzer is essentially worthless for
finding and fixing security-related bugs because it is more trouble to
make use of its output than its output is worth, or does it only *seem*
l
e, and this
might in turn help me find where more dire problems lurk in the dusty
corners of my code.
I consider that a win, and as such I appreciate the benefits of Clang's
static analyzer as a tool that, coupled with human judgment (flawed
though it may be), can help me wri
ald and "hcoin", not you.
Thanks for clarifying that. For a moment there, I was actually
confused.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
___
freebsd-security@freebsd.org mailing list
http://lists.fr
readability, but it doesn't fix
> any security issues.
I'm generally of the opinion that, all else being equal, making your
code readable is a way to find bugs you did not know existed. Even more
amazingly, making your code readable fixes bugs th
On Wed, Apr 23, 2014 at 11:00:54AM +1000, Mark Andrews wrote:
> In message <20140423003400.GA8271@glaze.hydra>, Chad Perrin writes:
> > On Tue, Apr 22, 2014 at 02:28:57PM -0700, Ronald F. Guilmette wrote:
> > > In message ,
> > > Charles Swiger wrote:
> >
, perhaps you could run this same analysis on
> that code too, and report numbers for that as well.
>
> I am *not* looking forward to the day when I'll be rooted because I was
> watching funny kitten videos on YouTube.
Solution: Dont' watch funny kitten videos on YouTube.
I
to
*trust* the CAs . . . and I do not. They are simply not trustworthy.
This seems like a problem that would make the transition to domain
registries quite intact, based on what I know of the situation.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
__
if someone has an
argument more compelling than Istvan's.
(This ignores the notion that there are simply better ways to validate
certs than via CA trust, which is a somewhat separate issue.)
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
pgpu4TE1qOB8l.pgp
Description: PGP signature
ly affected you -- and, on the other, taking some faceless third
party's assurances on issues of cryptographic trust and discovering that
refusing to take responsibility for your own decisions about trust has
placed your security at the mercy of untrustworthy people.
--
Chad Perrin [ origi
ank you in advance.
You clearly did not actually read what I said. You read *into* it,
creating the impression of some straw man argument in your own head, and
responded to that. This is not a productive way to discuss matters of
security.
--
Chad Perrin [ original content licensed OWL:
en you are
connecting to a site using an encryption certificate you have not already
told it to trust one way or another. If you just uncritically add all
the CAs in the world to a trusted list, all you are doing is turning off
those warnings.
--
Chad Perrin [ original content licensed OWL: http:
eir own decisions about who to trust, rather
than relying on Verisign to make that decision for them. I'm just
speculating wildly -- I actually have no idea.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
pgp4SxvhxpdLO.pgp
Description: PGP signature
tion into the base
system of any BSD Unix system. It's GPLed software. If people want it
in FreeBSD, it should go into ports.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
pgpDIHjWxmqJj.pgp
Description: PGP signature
17 matches
Mail list logo
