Re: I can't believe how much this sucks
It’s interesting that this article shows that LACK OF GOOD DOCUMENTATION and
POOR API DESIGN are at the heart of this problem.
I have noticed over the years that much of our society has changed its very
idea of what a good application is.
It used to be that if something could not be easily understood or behaved badly
or unexpectedly, people would see this as a bug in need of fixing.
With the rise in software complexity, requirements for budgets and schedules,
we have now evolved to a society of hoop jumpers who see software as good
enough if they can find a path to make it do what they want.
Developers have followed suit, practically forced to do so, and we now have
massive amounts of broken code on broken code on broken code.
Ownership of code (ie really taking responsibility for it) is unheard of
because the onerous burden of being responsible for your work is simply an open
door to a lawyer that wants to steal the fruit of your labor.
It is no wonder under these circumstances that “security by obscurity” has
become the defacto standard of the day.
The true bug here is our justice system unfortunately.
I think it is high time for a v2 of openssl, a rewrite almost from scratch,
removing support for older protocols and ciphers and simplifying it down with
full TDD from start to finish to really correct this problem.
And of course, probably not gonna happen.
But thanks for listening.
Sandy
-Original Message-
From: Marco Molteni (mmolteni)
Sent: Thursday, November 15, 2012 4:42 AM
To: openssl-users@openssl.org
Subject: Re: I can't believe how much this sucks
Another amen.
I am a professional programmer. I am grateful for OpenSSL. At the same
time, each time I have to use it directly (as opposed to use a few of the
good C++ wrappers) I know I will be going down to hell and fight for my
life, and when I will come back, my hairs will be grayer :-)
Lack of good documentation is a problem for any software library, but in
this case lack of documentation can also cause security vulnerabilities
because the user of the API misunderstood it.
As Charles, I propose as food for though the very recent, very good paper
on the security risks of (among other things) wrong APIs and wrong
documentation:
The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software,
available at http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
marco.m
On 13.11.2012 19:49 , Charles Mills charl...@mcn.org wrote:
AMEN!
Why is it easier to answer dumb question after dumb question here rather
than to document the darned product once? (Never mind the cumulative
labor of all the
programmers trying to figure out and debug the same problems again and
again and again, all over the world.)
Consider
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf. Doesn’t *some* of the
responsibility for these (severe and scary!) problems fall on the lack of
clear documentation?
It’s a GREAT product and I love it and am grateful but why after years
and years do the man pages still say “under construction”?
Charles
:��IϮ��r�m (���Z+�K
�+1���x ��h���[�z�(���Z+�
��f�y�����
�f���h��)z{,���
Re: I can't believe how much this sucks
In the case of openssl, a big gain would be to simply document the command line interface better and create a doc centric forum for people to add their lessons learned filed around the particular feature area of openssl. WORKING EXAMPLES would be REAL cool. Does anyone on this alias want to let me or others know how we can update the docs somehow? -Original Message- From: Carlo Wood Sent: Thursday, November 15, 2012 8:31 AM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On Tue, 13 Nov 2012 14:11:17 -0700 t...@terralogic.net wrote: This is just a NORMAL way for a programmer to work IMHO. I HATE comming into undocumented code years after its been written and IMHO its a big booby trap because its very easy to miss something and that creates hard to find bugs. Really criptic error messages don't help this. I've looked in the OOS community and there are attempts to put together systems and one I looked at was OXYGEN. I concur. When I was 12, I wrote compact code with only single character variables and no documentation. For some reason I was able to have thousands of code lines all in my head at once and I had no idea why I'd need to add documentation. When I got older, I started to use more descriptive variable and function names, mostly for the purpose of being able to 'grep' (reg.exp) them in large code. At some point I completely did away with abbreviations and only used complete English words, discovering that code is incredibly better to understand when the variable names express exactly what they mean (to the point that it avoids bugs). I still didn't see the point in documentation however: the code explained itself as if it was English. Only when my memory started to get worse and I couldn't remember Megabytes of code anymore, especially when my code became so complex that I had to use Object Orientation because it was impossible to keep an overview, I started to document code. The funny thing is: I did this mostly because I knew that a year later I wouldn't be able to understand it myself anymore if I didn't; not because I thought that anyone else might need it. Now, after more than 30 years of coding experience I have reached the same conclusion as terra wrote: Code is only as useful as it's documentation. Don't bother to write code without good COMPLETE documentation as it's worthless: only you, the developer (with a good memory on top of that) will think it's trivial and usable. Everyone else will not be able to use it. http://www.stack.nl/~dimitri/doxygen/ I have no idea at this time how useful this would be. Perhaps the best we might be able to do on the user side is a wiki and perhaps one exists. I did a google search on this. https://help.ubuntu.com/community/OpenSSL ^ I did find this and I did not look very hard. Maybe there is something better. If there is then it doesn't come up in the 1st hits google finds. So I think we can do much better. Just my 2 cents. -- Carlo Wood ca...@alinoe.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
