Re: OpenSSH: What went wrong?

[francisco <frisco@blackant.net>]

On Sat, 29 Jun 2002, Darren Reed wrote:

> Theo,
>      I think you (and perhaps others) are mistaken about what I'm
> expecting here.  When something in the Government fucks up, they
> investigate and announce that something will be changed to try and
> make sure it doesn't happen again.  I don't expect there to be any
> "invetigation", but I was kind of hoping that someone would come
> out and say "we're going to do this differently from now on so we
> catch more things before they hurt the public."  It sounds to me
> like you're saying nothing is going to change in the way the audit
> process is applied or in how code goes from idea to integrated for
> public use.

Darren, if all i had to go on was your questions (which i feel are quite
valid) and the current responses, then i too would feel worried about the
current state of auditing.  However, Theo has already made many statements
that one of the processes inherent in auditing is that when new forms of
bugs are found the source tree is gone through looking for the same bugs
and fixing them.  refer to
http://interviews.slashdot.org/article.pl?sid=00/12/11/1455210  among
other interviews.
While i don't expect Theo & crew to do this overnight, i'm confident it's
one of the things they'll do.

Knowing what Theo has said in the past about code auditing and knowing
OpenBSD's past history, I have full confidence in the current process of
auditing.  You've been around longer than I, Darren, and surely you've
read what Theo's said in the past, so why do you feel differently?

-f
http://www.blackant.net/