> I'm guessing that openssl was incorporated into OpenBSD base without > prior sufficient audit by the OBSD devs because it was presumed to have > better auditing / quality control upstream given its security critical > nature and function.
Everyone has to take shortcuts. After what you've seen here, can you name anyone who didn't take the same shortcut? Meanwhile, is any other operating system out there auditing the OpenSSH they get from here? > (A number of devs have commented in the past about > the [lack of] code style, but I get the impression no-one expected the > degree of *sloppiness* now being uncovered.) It is very surprising. > So here's a question, are > there any other chunks of code that have been imported en-mass from an > upstream source that could/should use an audit? especially, something > that some of us non-developers might be able to assist with? ^^^^^^^^^^^^^^ Sorry, no, because it is a development process.