While I totally agree with the direction Tim is taking on this, we need to remember that there's another condition as well: access to the platform in question, either directly by one of us, or through someone in the community. Otherwise, we can have as many tests as we want, it still won't test *that* code (be it assembler or something else)
In message <cahej-s7o+ztc8gf3zn_j7qofpicbxtobyfrxr8avk6s15hd...@mail.gmail.com> on Tue, 03 Apr 2018 15:36:15 +0000, Tim Hudson <[email protected]> said: tjh> And it should have a test - which has nothing to do with ASM and everything to do with improving tjh> test coverage. tjh> tjh> Bugs are bugs - and any form of meaningful test would have caught this. tjh> tjh> For the majority of the ASM code - the algorithm implementations we have tests that cover things tjh> in a decent manner. tjh> tjh> Improving tests is the solution - not whacking ASM code. Tests will catch issues across *all* tjh> implementations. tjh> tjh> Tim. tjh> tjh> On Tue, 3 Apr. 2018, 8:29 am Salz, Rich, <[email protected]> wrote: tjh> tjh> On 03/04/18 15:55, Salz, Rich wrote: tjh> > This is one reason why keeping around old assembly code can have a cost. :( tjh> tjh> Although in this case the code is <2 years old: tjh> tjh> So? It's code that we do not test, and have not tested in years. And guess what? Critical CVE. tjh> tjh> _______________________________________________ tjh> openssl-project mailing list tjh> [email protected] tjh> https://mta.openssl.org/mailman/listinfo/openssl-project tjh> _______________________________________________ openssl-project mailing list [email protected] https://mta.openssl.org/mailman/listinfo/openssl-project
