Contributed by pitrh on from the take-it-out-back-and-set-it-on-fire dept.
Over at Servicevirtualization.com, Bob Beck (beck@) was interviewed for a piece called Dead Code Walking: What Companies Can Do to Mitigate Old, Bad Code about the Heartbleed bug and the subsequent LibreSSL fork. A favorite quote:
ServiceVirtualization: What can organizations do to ensure they are building applications using high-quality, open-source components?Beck: This is not an open source problem. It’s a problem with any codebase you incorporate or reuse. Examine where they come from, have competent developers look at what they are bringing in, and know what the motivations of the organization is that is developing them. OpenBSD can stand well on its own track record. We are security-focused developers.
(Comments are closed)
By Marc Espie (espie) espie@nerim.net on
The interviewer is a bit dense, maybe on purpose. Bob is right to point that out. It seems that there is this crazy notion going around that OpenSSL stink is a general "quality" of opensource.
I don't know who put that spin on the heartbleed debacle but this is plain wrong, obviously. Any program can be bad code. And it can be even worse for closed source programs: as long as it appears to work, nobody is going to peek under the carpet, and see whether it is shit, or nice code.
Remember that closet where you quickly hide all the stuff you don't want visitors to see ? that's closed source programs. Nobody's going to peek.
Comments
By tbert (tbert) on
You misspelled "all software is terrible."
Comments
By Anonymous Coward (80.153.96.240) on
>
> You misspelled "all software is terrible."
I think he's absolutely right.
A nice Interview even undeadly realy just pasted a very small part of it. :-)
Offtopic: Kerberos is gone but passwd still knows about -K.
Is that considered "dead code" or will it stay in case Kerberos gets reimportet into the base OS?
Comments
By Anonymous Coward (216.180.246.195) on
> >
> > You misspelled "all software is terrible."
>
> I think he's absolutely right.
> A nice Interview even undeadly realy just pasted a very small part of it. :-)
>
>
> Offtopic: Kerberos is gone but passwd still knows about -K.
> Is that considered "dead code" or will it stay in case Kerberos gets reimportet into the base OS?
It likely remains because the Kerberos removal has only occured in -current, and it will likely be gone by the time 5.6-release rolls around this November unless the Kerberos code is cleaned up for reinclusion.
Comments
By henning (137.122.78.9) on