[clug] [OT] 'Technical Debt' in Infrastructure, now entering mainstream media

George at Clug Clug at goproject.info
Sun Nov 10 00:38:56 UTC 2019



On Sunday, 10-11-2019 at 11:16 Chris Smart via linux wrote:
> On Fri, 8 Nov 2019, at 18:50, Sam Couter via linux wrote:
> > As far as code quality goes, OpenSSL is still poop. So was the Linux kernel
> > before everybody who wasn't Linus got into it. Tridge is somewhat of an
> > outlier, and will probably admit the first version of samba wasn't perfect
> > either.
> > 
> 
> I can't personally speak for the quality of the code, however it seems to me that you might be underestimating just how amazing the swiss-army knife we know as OpenSSL actually is. For a code base that still powers the Internet, is run on many billions of devices, underpins many trillions of dollars, and has been around, updated, maintained, patched, improved for over 21 years, I think it's actually done an amazing job.
> 
> In fact, OpenSSL has worked so well and it has been taken for granted so much, that no-one ever bothered investing in it.
> 
> Add to that, when you look at the fact that OpenSSL foundation was only taking in $2000 a year in donations and that there was only one, very smart guy (Dr. Stephen Henson) working on it full-time (and starving), not to mention how much SSL specs have changed over the last 20 years and that it can't break existing implementations, it's even more astounding.
> 
> I don't think you could achieve all of that if the code was poop.
> 
> So while others can go and create a brand new, non-feature full implementation that no-one runs, without any history that is certainly much cleaner and not poop, we're not really comparing the same thing.
> 
> If you remember the notable vulnerabilities[1], it's surprisingly to me that there are actually only half a dozen or so and most of them are non-trivial.
> 
> In the aftermath of Heartbleed, Steve Marquess (who started the OpenSSL Foundation), wrote this[2] which is interesting:
> 
> Q: "Hey wait a minute — didn’t those bozos just make a dumb sloppy mistake and break the internet?"
> 
> A: "Given the widespread use of OpenSSL over many years it still has an excellent track record. The question that has been asked repeatedly and not often answered is why did this bug take so long to find? Well consider that:
> 
>  - The code was written by someone with a proven track record who is a co-author of the heartbeat specification (RFC6520). It was reviewed by the OpenSSL team and no one spotted a problem.
> 
>  - The code was visible all along to the entire OpenSSL community and no one saw it.
> 
>  - OpenSSL is used by many multinational companies and major government agencies with huge resources who didn’t spot it (or at least did not report it, same difference).
> 
>  - Many have called this “the worst security bug ever”, which is debatable but it is a very serious vulnerability. There are many security researchers in the world who have found problems in OpenSSL and reviewed the code with a fine tooth comb, as shown by all the academic papers which have been written over the years and the security advisories relating to them. Finding this bug would have been a feather in the cap of any one of those security researchers.
> 
>  - Two years passed before Google with its impressive technical resources and talent (and shortly thereafter Codenomicon) found this issue.
> 
> So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often."

+1   

(writing pefect code is not an easy task)

> 
> 
> [1] https://en.wikipedia.org/wiki/OpenSSL#Notable_vulnerabilities
> [2] http://veridicalsystems.com/blog/of-money-responsibility-and-pride/
> 
> -c
> 
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
> 



More information about the linux mailing list