Re: making Debian secure by default
Joe writes:
> Which didn't happen, at least not for two years.
It happened eventually, which is my point.
> I would suggest that for any software as critical as OpenSSL, more
> than one pair of eyes would have been appropriate *before* release.
I would suggest that critical projects such as OpenSSL need to practice
a form of "dependecy management" analogous to "supply chain management":
track dependency chains and periodically re-qualify each level. A full
audit might not be possible but at least look closely enough to notice
when a library is being supported by one overworked guy who is taking
patches from random strangers.
NOTE: this is just a suggestion. I don't claim to be any sort of
security expert nor am I trying to tell anyone what to do.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA
Reply to: