[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

On 2014-04-16, Paul E Condon <pecondon@mesanetworks.net> wrote:
>> Only four eyes?
> This is a silly rhetorical question. 
> How many 'eyes' are appropriate for a last, final look?
> Many, many eyes had surely already looked at the same code before
> this final look. 

We're talking about code *review*. 

>From the Sydney Morning Herald:

 Dr Seggelmann, of Münster in Germany, said the bug which introduced the
 flaw was "unfortunately" missed by him and a reviewer when it was
 introduced into the open source OpenSSL encryption protocol over two
 years ago.


 After he submitted the code, a reviewer "apparently also didn’t notice
 the missing validation", Dr Seggelmann said, "so the error made its way
 from the development branch into the released version." Logs show that
 reviewer was Dr Stephen Henson.


 Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that
 "bad cryptography is much more frequent than good cryptography", and the
 "fact that a source code can be read does not imply that it is actually
 read, especially by cryptography experts".

 "A reviewer would only look at the way [the algorithm] works, not at the
 code of the program that was submitted. The same happened with GNUPG,
 the reviewer accepted the code."

Reply to: