Subject: Re: reviewing code
From: Harald Koch <chk@pobox.com>
Date: Thu, 29 Aug 2002 16:22:21 -0400

Of all the gin joints in all the towns in all the world, Ben Laurie
had to walk into mine and say:
> Forrest J. Cavalier III wrote:
> > To answer your direct question, I did look carefully at SSLeay
> > (before it became OpenSSL) and it looked pretty "well-done"
> > to me.
> 
> Ahem. Of the three remote exploits I reported recently, two were from 
> the original code and one from contributed code (for Kerberos).

Which just goes to prove that code reviews don't matter much when it
comes to security exploits. How many pairs of eyes have looked over that
source code over the years? Three popular, and theoretically
trustworthy, software packages have all recently had security alerts (I
speak of SSH, Apache, and OpenSSL). Does this mean we can't trust
trusted software? I don't think so...

(ObFsb: There's a viable business in deployment of the code fixes when
they're announced :-).

-- 
Harald Koch     <chk@pobox.com>

"It takes a child to raze a village."
		-Michael T. Fry