<div dir="ltr"><div><div><div><div>My own explanation:<br><br></div>The "given enough eyeballs all bugs are shallow" adage is true, and is true in the case of OpenSSL as well. Even though the source code is open, there were not enough eyeballs.<br>
<br>OpenSSL's code is complex, has a lot of cruft, uses its own memory management, and supports too many obsolete platforms. So for many, it is scary, inelegant, legacy, yucky, and the like.<br><br>Therefore there are effectively only a few eyeballs, if any, on it, hence the bug remained in the code for 2 years.<br>
<br></div>Of course the process could be improved by mandating more rigorous code reviews (e.g. 2 people have to vouch for the commit) before accepting a change.<br><br></div>The OpenBSD folk are ripping out all the old cruft from OpenSSL, and it has been forked as LibreSSL as well.<br>
<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 22, 2014 at 12:17 PM, CrankyOldBugger <span dir="ltr"><<a href="mailto:crankyoldbugger@gmail.com" target="_blank">crankyoldbugger@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Interesting line in <a href="http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29" target="_blank">http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29</a> , from OpenSSL Software Foundation President Steve Marquess:</div>
<div><br></div><div>[As for Heartbleed], "the mystery is not that a few overworked volunteers missed this bug," Marquess wrote. "The mystery is why it hasn’t happened more often."</div><div style="color:rgb(38,48,52);font-family:Arial,sans-serif;font-size:14px;line-height:20px">
<br></div></div><div><span style="color:rgb(38,48,52);font-family:Arial,sans-serif;font-size:14px;line-height:20px"><br></span></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">
On 22 April 2014 09:37, Giles Malet <span dir="ltr"><<a href="mailto:gdmalet@gmail.com" target="_blank">gdmalet@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 04/22/2014 03:42 AM, unsolicited wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So, now not only are you postulating that the NSA has injected source<br>
code into OpenSSL, and successfully had it accepted world wide for all<br>
compile from source repositories (otherwise there would be no point,<br>
there would be nothing on the other side of the connection for the NSA<br>
to exploit), you are suggesting that simultaneously they have done so<br>
into gcc to accept and hide the exploit. [...]<br>
</blockquote>
<br>
I said none of that. Could you please keep your attributions correct. I merely pointed out that one of your assertions is factually incorrect.<br>
<br>
g<br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/<u></u>listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a><br>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Khalid M. Baheyeldin<br><a href="http://2bits.com" target="_blank">2bits.com</a>, Inc.<br>Fast Reliable Drupal<br>Drupal optimization, development, customization and consulting.<br>
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra<br>Simplicity is the ultimate sophistication. -- Leonardo da Vinci<br>For every complex problem, there is an answer that is clear, simple, and wrong." -- H.L. Mencken<br>
</div>