Subject: Re: reviewing code
From: Ben Laurie <ben@algroup.co.uk>
Date: Thu, 29 Aug 2002 20:48:33 +0100

Forrest J. Cavalier III wrote:
>>Who has (literally) signed off on the SSL libraries after careful
>>review?  I'm willing to take the risk that, if a few good people write
>>up a good review, that those libraries are fine.  Not that there's a
>>final state at which I would just assume, forever and ever, that those
>>libraries are fine -- just that I'd be happy to buy into a decent
>>process.
>>
> 
> 
> Actually that is the problem I see with the 'arch' concept.
> Sharing code is great and arch promotes innovation.  But
> people pay for tools and software they trust.
> 
> ------------------------------------------------------------
> 
> To answer your direct question, I did look carefully at SSLeay
> (before it became OpenSSL) and it looked pretty "well-done"
> to me.

Ahem. Of the three remote exploits I reported recently, two were from 
the original code and one from contributed code (for Kerberos).

> Since then there have been certificate verification
> problems reported, so I guess my review was not as complete
> as it should have been.
> 
> As for OpenSSL, well.... last time I checked the tarballs
> were signed by a personal GPG/PGP key which was only self-signed
> (or signed by one of the others in the group.)    !!

We are actually planning to rectify this rather sad state of affairs.

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff