Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

To: debian-user@lists.debian.org
Subject: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
From: Curt <curty@free.fr>
Date: Wed, 16 Apr 2014 15:16:55 +0000 (UTC)
Message-id: <[🔎] slrnlkt7kd.2e5.curty@einstein.electron.org>
References: <[🔎] 1397407039.609.61.camel@archlinux> <[🔎] 20140414030313.GA9681@tal> <[🔎] 534B8648.1000604@hardwarefreak.com> <[🔎] 20140414150113.GA23216@tal> <[🔎] CAH_OBid=t4+udRZctLB2PQMGZ4oiKCGoOiFKRFmWOcbbDFiK2g@mail.gmail.com> <[🔎] 20140415044417.GB4034@tal> <[🔎] CAH_OBic6Q=S4Zygi=2sRFsW3tMNenn7U6941m2ABkVfmEobWVw@mail.gmail.com> <[🔎] br5uujFskgsU2@mid.individual.net> <[🔎] 534E178E.1070505@slavino.sk> <[🔎] slrnlksfck.2e5.curty@einstein.electron.org> <[🔎] 20140416144801.GA22471@big.lan.gnu>

On 2014-04-16, Paul E Condon <pecondon@mesanetworks.net> wrote:
>> 
>> Only four eyes?
>
> This is a silly rhetorical question. 
> How many 'eyes' are appropriate for a last, final look?
> Many, many eyes had surely already looked at the same code before
> this final look. 

We're talking about code *review*. 

>From the Sydney Morning Herald:

 Dr Seggelmann, of Münster in Germany, said the bug which introduced the
 flaw was "unfortunately" missed by him and a reviewer when it was
                                            **********    
 introduced into the open source OpenSSL encryption protocol over two
 years ago.

...

 After he submitted the code, a reviewer "apparently also didn’t notice
                              **********
 the missing validation", Dr Seggelmann said, "so the error made its way
 from the development branch into the released version." Logs show that
 reviewer was Dr Stephen Henson.

...

 Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that
 "bad cryptography is much more frequent than good cryptography", and the
 "fact that a source code can be read does not imply that it is actually
 read, especially by cryptography experts".

 "A reviewer would only look at the way [the algorithm] works, not at the
 code of the program that was submitted. The same happened with GNUPG,
 the reviewer accepted the code."

Reply to:

References:
- Re: My fellow (Debian) Linux users ...
  - From: Ralf Mardorf <ralf.mardorf@rocketmail.com>
- Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Chris Bannister <cbannister@slingshot.co.nz>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Stan Hoeppner <stan@hardwarefreak.com>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Chris Bannister <cbannister@slingshot.co.nz>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: shawn wilson <ag4ve.us@gmail.com>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Chris Bannister <cbannister@slingshot.co.nz>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: shawn wilson <ag4ve.us@gmail.com>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Charles Kroeger <ckrogrr@frankensteinface.com>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Slavko <slavino@slavino.sk>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Curt <curty@free.fr>
- Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
  - From: Paul E Condon <pecondon@mesanetworks.net>

Prev by Date: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
Next by Date: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
Previous by thread: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
Next by thread: Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
Index(es):
- Date
- Thread