[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/04/14 19:20, Martijn Grooten wrote: > > The point that big companies that rely on OpenSSL should think about > funding the projects has been made by others though, such as at the end > of this blog: > > http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html Bad Apple specifically said auditing, and I think this is the key. We are beyond the point where it is reasonable to check all the project team sizes and resourcing in free software, and it may be counterproductive anyway, but you can more reasonably apply checks on the quality of the output. Software testing is hard, requires a lot of skilled labour and maintenance. This later one is key, it is not as if OpenSSL isn't well audited, but not every release gets regression testing, and full coverage on new features etc. There was also finally a post to the IETF mailing list for TLS asking if just perhaps this protocol is a tad too complex. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq