OpenBSD Journal

Dead Code Walking: What Companies Can Do to Mitigate Old, Bad Code (beck@ interview)

Contributed by pitrh on from the take-it-out-back-and-set-it-on-fire dept.

Over at Servicevirtualization.com, Bob Beck (beck@) was interviewed for a piece called Dead Code Walking: What Companies Can Do to Mitigate Old, Bad Code about the Heartbleed bug and the subsequent LibreSSL fork. A favorite quote:

ServiceVirtualization: What can organizations do to ensure they are building applications using high-quality, open-source components?

Beck: This is not an open source problem. It’s a problem with any codebase you incorporate or reuse. Examine where they come from, have competent developers look at what they are bringing in, and know what the motivations of the organization is that is developing them. OpenBSD can stand well on its own track record. We are security-focused developers.

(Comments are closed)


Comments
  1. By Marc Espie (espie) espie@nerim.net on

    *THIS IS NOT AN OPEN SOURCE PROBLEM*.

    The interviewer is a bit dense, maybe on purpose. Bob is right to point that out. It seems that there is this crazy notion going around that OpenSSL stink is a general "quality" of opensource.

    I don't know who put that spin on the heartbleed debacle but this is plain wrong, obviously. Any program can be bad code. And it can be even worse for closed source programs: as long as it appears to work, nobody is going to peek under the carpet, and see whether it is shit, or nice code.

    Remember that closet where you quickly hide all the stuff you don't want visitors to see ? that's closed source programs. Nobody's going to peek.

    Comments
    1. By tbert (tbert) on

      > Any program can be bad code.

      You misspelled "all software is terrible."

      Comments
      1. By Anonymous Coward (80.153.96.240) on

        > > Any program can be bad code.
        >
        > You misspelled "all software is terrible."

        I think he's absolutely right.
        A nice Interview even undeadly realy just pasted a very small part of it. :-)


        Offtopic: Kerberos is gone but passwd still knows about -K.
        Is that considered "dead code" or will it stay in case Kerberos gets reimportet into the base OS?

        Comments
        1. By Anonymous Coward (216.180.246.195) on

          > > > Any program can be bad code.
          > >
          > > You misspelled "all software is terrible."
          >
          > I think he's absolutely right.
          > A nice Interview even undeadly realy just pasted a very small part of it. :-)
          >
          >
          > Offtopic: Kerberos is gone but passwd still knows about -K.
          > Is that considered "dead code" or will it stay in case Kerberos gets reimportet into the base OS?

          It likely remains because the Kerberos removal has only occured in -current, and it will likely be gone by the time 5.6-release rolls around this November unless the Kerberos code is cleaned up for reinclusion.

          Comments
          1. By henning (137.122.78.9) on

            Kerberos will not come back.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]