Subject: Re: reviewing code
From: Ben Laurie <>
Date: Thu, 29 Aug 2002 20:48:33 +0100

Forrest J. Cavalier III wrote:
>>Who has (literally) signed off on the SSL libraries after careful
>>review?  I'm willing to take the risk that, if a few good people write
>>up a good review, that those libraries are fine.  Not that there's a
>>final state at which I would just assume, forever and ever, that those
>>libraries are fine -- just that I'd be happy to buy into a decent
> Actually that is the problem I see with the 'arch' concept.
> Sharing code is great and arch promotes innovation.  But
> people pay for tools and software they trust.
> ------------------------------------------------------------
> To answer your direct question, I did look carefully at SSLeay
> (before it became OpenSSL) and it looked pretty "well-done"
> to me.

Ahem. Of the three remote exploits I reported recently, two were from 
the original code and one from contributed code (for Kerberos).

> Since then there have been certificate verification
> problems reported, so I guess my review was not as complete
> as it should have been.
> As for OpenSSL, well.... last time I checked the tarballs
> were signed by a personal GPG/PGP key which was only self-signed
> (or signed by one of the others in the group.)    !!

We are actually planning to rectify this rather sad state of affairs.




Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff