On Fri, Apr 18, 2014 at 09:41:47PM -0400, Jacob L. Leifman wrote: > I'm guessing that openssl was incorporated into OpenBSD base without > prior sufficient audit by the OBSD devs because it was presumed to have > better auditing / quality control upstream given its security critical > nature and function. (A number of devs have commented in the past about > the [lack of] code style, but I get the impression no-one expected the > degree of *sloppiness* now being uncovered.) So here's a question, are > there any other chunks of code that have been imported en-mass from an > upstream source that could/should use an audit? especially, something > that some of us non-developers might be able to assist with?
No, you're mistaken. We've known for a while it was on the very dirty side, but there are obvious human reasons because of which people were reluctant to dive in. Note that it's on a par with a lot of opensource code out there, unfortunately. At some point, you have to make choices, as the amount of time and manpower we have is limited.