[kwlug-disc] Security arguments

Chris Frey cdfrey at foursquare.net
Fri Oct 2 00:41:38 EDT 2009

On Wed, Sep 23, 2009 at 01:01:45PM -0400, Paul Nijjar wrote:
> On Tue, Sep 22, 2009 at 06:42:25PM -0400, Chris Frey wrote:
> > So it's left to each individual programmer to take responsibility for
> > his own code, and make programming hard for himself: finding the best
> > way to do a given task, and eliminating repetition.  This takes time,
> > money, patience, and attention to every detail.
> I think this means our software will always be bad. Either newbies
> will be dissuaded from writing software (which is actually the
> situation with me -- I am terrified to release code because I know
> little about securing it correctly) or newbies will write code and it
> will have bugs. 

This paragraph needs a reply... it's stuck in my mind for a while. :-)

In short: this is what version 0.x is for.

I will admit that being an open source programmer takes guts, but it's
the kind that can be hedged.  As long as you don't release your code
with the attitude and the expectation that your code is perfect,
the community can be fairly forgiving.

You don't have to pull a Dan Bernstein and scoff at everyone else while
writing "perfect" software. :-)  That's way too much pressure to put on

And by releasing incrementally, you let the users provide feedback, and
everyone starts hammering out the bugs, including security bugs.

Of course, make a best effort at security, but don't let fear stop you
from releasing your code.  Slap a 0.x version on it, upload a tarball,
GPG sign it, and open a mailing list.  Release early, release often,
as they say.

And if a security bug is found in your code, be the one to announce it
the loudest, and thank the person would found it.  That's what Bugtraq
is for.  Then go through your code and try to make it impossible to
make that mistake again: perhaps with smarter APIs, with test code, or
with lint checkers.  Or all of the above.

- Chris

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the kwlug-disc mailing list