Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On 2014-04-16, Paul E Condon <firstname.lastname@example.org> wrote:
>> Only four eyes?
> This is a silly rhetorical question.
> How many 'eyes' are appropriate for a last, final look?
> Many, many eyes had surely already looked at the same code before
> this final look.
We're talking about code *review*.
>From the Sydney Morning Herald:
Dr Seggelmann, of Münster in Germany, said the bug which introduced the
flaw was "unfortunately" missed by him and a reviewer when it was
introduced into the open source OpenSSL encryption protocol over two
After he submitted the code, a reviewer "apparently also didn’t notice
the missing validation", Dr Seggelmann said, "so the error made its way
from the development branch into the released version." Logs show that
reviewer was Dr Stephen Henson.
Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that
"bad cryptography is much more frequent than good cryptography", and the
"fact that a source code can be read does not imply that it is actually
read, especially by cryptography experts".
"A reviewer would only look at the way [the algorithm] works, not at the
code of the program that was submitted. The same happened with GNUPG,
the reviewer accepted the code."