[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)

On Thu, Apr 17, 2014 at 3:36 AM, ken <gebser@mousecar.com> wrote:
Steve brings up a very good point, one often overlooked in our zeal for getting so much FOSS for absolutely no cost.  Since we're all given the source code, we're all in part responsible for it and for improving it.  This ethic should be visited not only on lists like this one, but certainly also in CIS classes and definitely in business and governmental administration courses as well.  

While I can agree in principle with this, in practice, it's not that black and white. Let's look at a real-world example: cars. I, like most on this list, have owned many in my life, can drive them, and even do routine maintenance on them, e.g. brakes, oil changes, changing belts, even changing the odd water pump, a car is a complex system. There are many computers and moving parts that have to work (more or less) in unison for the car to operate properly. There are trained mechanics who know how they "tick."

Similarly, software such as openssl is a complex beast. Very few people are going to be able to review it, let alone code for it. The two most dire warnings in the crypto code biz are a) never implement your own crypto system, because there are a million ways to do it, and 999,997 of them are wrong, and b) peer review is your friend. But just as I would probably prefer a certified mechanic to rebuild the engine in most modern cars, I would hope that the guys writing the code have a helluva lot more expertise than I do and are checking up behind each other. Plus, like OpenBSD, have mechanisms in place to minimize damage when things do go awry.
And right now there is github where over the past couple weeks I've noticed quite a few "projects"-- in fact, the majority of them-- started by one person but with no other contributors.  A significant contribution can be as small as improving documentation.  As Steve points out, without more involvement from more people, we're probably headed for repeated such calamities.

Well, you are free not to use those. I judge this on a case-by-case basis. For instance, I'm not likely to be an early adopter of "Joe's super-secret foolproof cryptosystem" with one dev and a handful of commits, but I might just think about using, say, the pitivi video editor at an early beta. Going back to the car analogy, I said above I would want a certified mechanic to rebuild my engine in a modern car, but I have no problem going my neighbor and having him change the brake pads and rotors, or even to do that myself.

Reply to: