On 2014-04-16, Paul E Condon <pecon...@mesanetworks.net> wrote: >> >> Only four eyes? > > This is a silly rhetorical question. > How many 'eyes' are appropriate for a last, final look? > Many, many eyes had surely already looked at the same code before > this final look.
We're talking about code *review*. >From the Sydney Morning Herald: Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was ********** introduced into the open source OpenSSL encryption protocol over two years ago. ... After he submitted the code, a reviewer "apparently also didn’t notice ********** the missing validation", Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson. ... Phong Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that "bad cryptography is much more frequent than good cryptography", and the "fact that a source code can be read does not imply that it is actually read, especially by cryptography experts". "A reviewer would only look at the way [the algorithm] works, not at the code of the program that was submitted. The same happened with GNUPG, the reviewer accepted the code." -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnlkt7kd.2e5.cu...@einstein.electron.org