[Linux-aus] Post in ZDnet re: Heartbleed

Wed Apr 16 22:53:25 EST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 14/04/14 22:37, Kathy Reid wrote:
> Hi everyone,
> 
> There's a post on ZDnet that posits that OpenSSL benefitted little from 
> being open source; 
> http://www.zdnet.com/did-open-source-matter-for-heartbleed-7000028378/ I
> strongly disagree with a lot of the points in the article, but am 
> interested in the thoughts of others.
> 
> * If OpenSSL wasn't open source, the vulnerability may never have been
> found * The CVE was dealt with transparently and openly * The patch was
> freely available when the CVE was made public * The specific code
> vulnerability, now patched, will make other C codes more secure as people
> learn from the error

There's been flaws in the Linux kernel and other major open source projects,
so this isn't a new thing.  My opinion here is that we, the open source
community, pat ourselves on the back - or assuage our own fears about the
code we run - by saying "lots of intelligent people have read this code and
they trust it, so it must be good".  We all know that's not true.

Looking for vulnerabilities is hard.  Looking at other people's code is
often hard.  It's been remarked that one of the things that makes the Linux
kernel so successful is that it's actually pretty consistent in its code
style - other projects like OpenSSL have less consistency.  It takes a lot
of time to read through someone else's code, get over the feeling of "what
were they thinking here!  This for loop could be much better written!" and
move on to actually trying to find problems in the logic.

And in my view there's too much kudos given to people who write new things,
who go off and reinvent the wheel in their own way.  Announcing new projects
is more popular at events like LCA, in part because the papers committee
prefers those to updates on existing projects.  So there's little incentive
to read someone else's code unless you're debugging - like Russell - or
trying to add some new feature.  Most of us use those libraries and APIs as
black boxes and trust what we put in and get out.

But the "open source" element to this problem is being overblown in some
news sources.  This problem exists - sometimes a lot worse - in proprietary
software, but when bugs are found there's no cry in the same news sources
against closed source software.  It's also easy to blame something that
doesn't have a team of lawyers and PR people ready to correct every news
article into line with the company message.

You're absolutely right, the process followed by the OpenSSL team and the
various distributions in fixing this has been very well done and is a model
for how these things should be fixed.  It's regrettable that it had to
happen in the first place, but it's easy to imagine what would have happened
if it had been Microsoft's SSL implementation that had the vulnerability.

Have fun,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNOfUUACgkQu7W0U8VsXYJjtQCgqBjKlIY6lKJsSmX1tT/kp6TG
fDQAoKr+dMcLiRSaOrWZWrt6Pk0+mDl7
=l84d
-----END PGP SIGNATURE-----