On Fri, Apr 18, 2014 at 09:41:47PM -0400, Jacob L. Leifman wrote:
> I'm guessing that openssl was incorporated into OpenBSD base without 
> prior sufficient audit by the OBSD devs because it was presumed to have 
> better auditing / quality control upstream given its security critical 
> nature and function. (A number of devs have commented in the past about 
> the [lack of] code style, but I get the impression no-one expected the 
> degree of *sloppiness* now being uncovered.)  So here's a question, are 
> there any other chunks of code that have been imported en-mass from an 
> upstream source that could/should use an audit? especially, something 
> that some of us non-developers might be able to assist with?

No, you're mistaken. We've known for a while it was on the very dirty
side, but there are obvious human reasons because of which people were 
reluctant to dive in.

Note that it's on a par with a lot of opensource code out there, 
unfortunately.  At some point, you have to make choices, as the
amount of time and manpower we have is limited.

Reply via email to