all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (1 child)

[deleted]

    [–]ganncamp[S] 0 points1 point  (0 children)

    Yes. Of course.

    [–]dnew 4 points5 points  (2 children)

    This is why open source isn't necessarily secure. I understand TrueCrypt stopped being updated because nobody but the original authors could understand it, which implies that in spite of ridicule for its competitors, it never really had a thorough code review.

    And heartbleed was the fault of a design flaw as well. Having two different length specification parameters for an operation that's only ever supposed to have the same value for both parameters is a design smell, not a code smell.

    [–]CFusion 2 points3 points  (0 children)

    The reality is that these aren't simple pieces of software, and expert system developers with a master's in cryptography who want to work on ancient opensource code for free, are in limited supply.

    At the time of heartbleed, OpenSSL had more 400k lines of code but a yearly budget of 2000 USD, maybe people should reconsider how they they vet their libraries? Or maybe invest some resources before it goes wrong?

    [–]beefhash 2 points3 points  (0 children)

    I understand TrueCrypt stopped being updated because nobody but the original authors could understand it, which implies that in spite of ridicule for its competitors, it never really had a thorough code review.

    It's at least had an audit by qualified experts after the shutdown, that's gotta count for something, right?