Subject: Re: reviewing code
From: Tom Lord <lord@regexps.com>
Date: Thu, 29 Aug 2002 10:38:15 -0700 (PDT)


   > Actually that is the problem I see with the 'arch' concept.
   > Sharing code is great and arch promotes innovation.  But
   > people pay for tools and software they trust.


Nail on the head!

Arch is *part* of the infrastructure for a source management policy of
verifiable, decentralized, trust.

Once again: FSBs like Suse or RH should be selling customized source
management and rel eng infrastructure, including testing and
verification tools that are controled by (larger, sophisticated)
customers.

One current disaster (unrelated to those companies) is DNS: designs
are *severely* constrained by the enourmous cost of making changes.
Examples like that will multiply.  Arch is a big part of a cure and is
designed to fit flexibly with other parts.

As a developer, I find the BSD distro I use to be *almost* ideal: I
can (almost) rebuild any system tools on demand;  I have repeatedly
solved problems by consulting the (mostly) easily accessible source.  
I also have a famous linux distribution on a different box;  I like
that one because the web browser can handle flash.

-t




   Mailing-List: contact fsb-help@crynwr.com; run by ezmlm
   Date: Wed, 28 Aug 2002 22:13:58 -0400 (EDT)
   From: "Forrest J. Cavalier III" <mibsoft@mibsoftware.com>
   Reply-To: "Forrest J. Cavalier III" <mibsoft@mibsoftware.com>
   CC: mibsoft@mibsoftware.com
   X-UIDL: [=i"!(cV"!/0k!!MJ_"!


   > Who has (literally) signed off on the SSL libraries after careful
   > review?  I'm willing to take the risk that, if a few good people write
   > up a good review, that those libraries are fine.  Not that there's a
   > final state at which I would just assume, forever and ever, that those
   > libraries are fine -- just that I'd be happy to buy into a decent
   > process.
   > 

   Actually that is the problem I see with the 'arch' concept.
   Sharing code is great and arch promotes innovation.  But
   people pay for tools and software they trust.

   ------------------------------------------------------------

   To answer your direct question, I did look carefully at SSLeay
   (before it became OpenSSL) and it looked pretty "well-done"
   to me.

   Since then there have been certificate verification
   problems reported, so I guess my review was not as complete
   as it should have been.

   As for OpenSSL, well.... last time I checked the tarballs
   were signed by a personal GPG/PGP key which was only self-signed
   (or signed by one of the others in the group.)    !!

   A quick email received no reply, and because of that I
   started looking hard at the predecessor SSLeay libraries
   instead.

   RSA has (had?) SSL libraries.  (It is possible to write
   C macros so that code can use either RSA or SSLeay or OpenSSL
   at compile time.)