There's a good discussion on HN (here: https://news.ycombinator.com/item?id=7575210) regarding the funding for OpenSSL.
I feel that the bug results from a mix of issues, several stemming from the lack of funding for developers to treat it more than just a labor of love. This is software that the Internet heavily relies on for security, yet it has such a small team and only one guy working on it full time. Even with funding, as a project, OpenSSL seems to be managed less than optimally. So I don't see it as a problem of open source, but a problem of project management, and resources (project contributors, marketing, outreach) which is ultimately constrained their poor funding. Of course you can have individual open source developers producing secure code (ie DJB), but unfortunately they're the exception. Another issue linked to project management is that "OpenSSL has exploit mitigation countermeasures to make sure it's exploitable": http://article.gmane.org/gmane.os.openbsd.misc/211963. This meant that advances in open source security in libc are ignored, leaving OpenSSL vulnerable. Allegedly the flag that enables the "OPENSSL_NO_BUF_FREELISTS" (internal memory management) is the default that OpenSSL is tested against, and it apparently doesn't pass tests when the flag is disabled. Fixing this should have been a project priority, but lack of management and resources meant that it's never been done. So when we look at other open source secure communications software that we rely on, let's also consider how well the project is run, and how much resources they have to achieve their goals. JPH On 04/12/2014 07:08 AM, Percy Alpha wrote: > The recent news of OpenSSL bug shows no software open source or not can be > fully trusted. > > Do we have audits on secure communication softwares such > as gpg4win, gpgtools and recent uprising "secure" mobile IMs such as wickr, > confide, threema and Telegram? > > Percy Alpha(PGP <https://en.greatfire.org/contact#alt>) > GreatFire.org Team > > >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
