> > Yes, you´re right, that was on the table and also suggested by > > Mozilla, but the issue was that people from 360 are used to code in > > PHP and the old one was in Java and some other for which they are not > > so familiar and then was decided to re-write all the code in PHP > > trying to keep the same functionality. > > Given the quality of code produced,
I don´t think the quality of the code which is in production now is poor or of bad quality. It wasn´t good initially, that´s true, but not now. > it might have been better in hindsight tohire Java experts to work on the old > codebase. That was also on the table. > > > Furthermore, with this decission, we also wanted to let the community > > know that this is totally a new CA system in all aspects, nothing > > related to the past, everything from scratch, so new coding, new > > programming language, new PKI system, infrastructure, etc. hoping this > > would make the community have a better impression of the new Startcom > regarding the distrust issue. > > "We rewrote everything from scratch" is not actually something which itself > inspires confidence. What I meant, is that we used a new programming language and then recoded. In the case of WoSign, it was required of them because > their old code was clearly terrible and buggy. But the reason the result would > have to be strongly audited (were they to > reapply) is that new code is riskier than old, tried-and-tested code. > > I don't know if I ever wrote it down anywhere, but I'm fairly sure that > switching back from the WoSign codebase to the older StartCom codebase > (i.e. reversing the change you made after the purchase) was my suggestion for > how StartCom should proceed after the dis-trust event. Yes, that was your suggestion. > That doesn't mean you are required to take my advice, Yes, I know > but it might have beena hint that I wouldn't consider "hey, we rewrote > everything from scratch!" as > a positive point. Well, we thought that it could be. During the distrust issues, I think Ryan posted some old issues related to the old Startcom code or procedures (long time ago) and then recoding everything was our intent to give a positive answer. As said, the term "from scratch" maybe it´s not appropiate, but in the end this code has been audited. > > Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
