Subject: reviewing code
From: Tom Lord <>
Date: Wed, 28 Aug 2002 12:41:28 -0700 (PDT)

This is just a thought experiment -- I no longer work on arch.

Someone wrote SSL patches for arch.  I've started to review them, but
will not finish.  They looked ok (actually, quite good) on primary

Alas, these patches depend on various libraries, some of which are
quite large.   Even if I were to finish reviewing the patches, I would
*never* have time to review those libraries.

Who has (literally) signed off on the SSL libraries after careful
review?  I'm willing to take the risk that, if a few good people write
up a good review, that those libraries are fine.  Not that there's a
final state at which I would just assume, forever and ever, that those
libraries are fine -- just that I'd be happy to buy into a decent

Oh yeah -- if anyone wants to claim that "many eyeballs" eliminates
this concern -- well, nobody knowledgeable should take that seriously.
(The entity with the invisible hands has many eyes, I guess :-)