
This is why software sucks - zdw
http://www.tedunangst.com/flak/post/this-is-why-software-sucks
======
georgemcbay
Another reason software sucks is that developers are sometimes so incredibly
bad at communicating their ideas (which impacts documentation, development
planning (especially in the age of distributed open source projects), and even
code quality [in terms of naming, commenting, etc]).

"I don’t have much involvement in portable, but I definitely had a hand in
neutering the RAND and egd interfaces. Contrary to some commentary, we didn’t
neuter these interfaces because we didn’t know what they were. We neutered
them because we know precisely what they are. They’re fucking stupid."

uh... okay; thanks for the enlightenment.

I'm sure this post makes more sense to people who are intimately familiar with
whatever it is that is being talked about in the first place, but to the rest
of us it might as well be written in Klingon.

~~~
yellowapple
Having read the various slides on why libressl is deemed necessary, it makes
quite a bit of sense. A large chunk of OpenSSL's API has no business existing
in the first place, let alone in a public scope, because said chunk consists
mostly of redundant and half-baked implementations of things that exist in the
operating system and/or external libraries.

OpenSSL took a rather strange approach of "hey, $some_obscure_operating_system
doesn't provide $some_critical_system_function, so let's implement it
ourselves and _activate it for every single platform that OpenSSL is used on
regardless of whether or not there 's an existing equivalent_". In many cases,
these sorts of shenanigans are the source of various bugs or - just as
horribly - the reason why so many bugs had been undetectable via stricter
memory access requirements and debugging techniques (the latter being what's
referred to when the phrase "exploit mitigation countermeasure" is used in the
context of OpenSSL).

Ted could probably be a bit more helpful by providing a link to the "fucking
stupid[ity]" that is OpenSSL's bass-ackwards API, but most of this is already
explained in prior announcements about libressl's improvements/development and
such, so it's understandable why he didn't feel the need to provide links for
context.

------
davidw
> Do you want software to stop being shit? Then stop expecting... nay, stop
> demanding that software be shit.

As I've written before, it's almost _entirely_ about the economics of it. For
tons of software out there, there is simply no incentive to make it super
stable, polished, secure, etc.

In other words: let's say you're building a web app for a small local
business. Are you going to build it in Erlang, run it on several physical
machines and do all the other fault-tollerant, high-availability stuff, or are
you going to put together some pieces of Rails or PHP or Django and call it
'pretty good'? You're going to do the latter, because otherwise you're going
to cost a _lot_ more than the competition, deliver less, and in any case the
guy running the business is going to be understanding if you need to take the
site down for an hour on Sunday morning to upgrade something once in a while.

So far, so good. Security is a bit more problematic, because there can be some
pretty serious financial ramifications. The trick is to get the people who
bear those risks to pay some of what it costs to produce better software,
which is not always easy in the case of open source.

~~~
_delirium
I've long thought that the different liability regime is a big part of that.
In just about any business that is not software, it's much harder for a
commercial vendor to _completely_ disclaim all liability via a boilerplate
contract. At the very least some basic liability attaches when you ship a
seriously defective product: if it's not even remotely fit for the advertised
purpose, has failure modes bad enough to be negligent, etc. But the way the
existing doctrines have been applied to the software: 1) are quite deferential
to EULAs; and 2) de-facto raise the bar for "negligence" to something
approaching intentional malfeasance or fraud.

(The economic effects of the different liability regime might be good or bad,
but it's quite striking how doctrines that are well-understood in other areas
are applied so differently to software.)

~~~
davidw
That's a good point, but I still think it's tricky: we're talking about
OpenSSL here. Making contributors liable for defects in open source software
would have some very, very negative effects: we would not even _have_ an
OpenSSL to complain about.

~~~
x0x0
openssl didn't ship to end users; it's the software that goes to end users
that should bear liability

~~~
davidw
That's a pretty much impossible distinction to make.

------
0xdeadbeefbabe
Software sucks because everyone makes mistakes. Even if the developer avoids
mistakes, mistaken users will demand more mistakes which will in turn support
their own "wrong wrong wrong" or "software sucks" narrative.

Anyone have a less horrific take?

~~~
VLM
"on the other hand we have people demanding that we maintain every last
misfeature piece of shit function in that API."

AKA I'd like you to sprinkle magic security dust on the code so I can check
off "secure" on my checklist, but don't actually change anything.

------
personZ
I don't even really understand what this is saying. Is it a critique that
LibreSSL faces undue criticism?

This is one of those "Live by the sword, die by the sword" things: LibreSSL
was birthed, it seems to me, as an opportunistic venture to take the meager
funding and attention away from OpenSSL during its time of crisis, sold on the
premise that OpenSSL is a festering heap maintained by a bunch of hacks, and
now it's time for the big boys to show how it should be done.

When you start like that, you _will_ face an incredible amount of scrutiny.
Every failure will be exaggerated and spread far and wide.

Expect to die by the sword. Or to use another cliche, when you throw rocks at
your neighbor's glass house, you should avoid building your own of the same.

~~~
clarry
_> LibreSSL was birthed, it seems to me, as an opportunistic venture to take
the meager funding and attention away from OpenSSL_

How do people come up with bullshit like this? You try to make the free
software project look like an obnoxious enterprise that would exploit a time
of uncertainty to show off and bolster their status, for revenue.

The reality is that they realized a critical component of their security-
focused project is broken and needs fixing, urgently. So they started working
on it. That is _what they do._ All the attention was generated by media and
citizen of the Internet. At the time, I don't think anyone was talking about
funding. Definitely not about the funding of OpenSSL.

Then people started demanding portability. Other people wanted to support the
project just because. Or because they came to realize (or already knew) that
OpenSSL had serious issues. At the time, no funding was being directed at
fixing these issues.

~~~
personZ
_You try to make the free software project look like an obnoxious enterprise
that would exploit a time of uncertainty to show off and bolster their status,
for revenue._

During the wide media exposure of OpenSSL's heartbleed vulnerability, Theo
quite cleverly forked off LibreSSL, started a campaign for funding, and
aggressively and viciously attacked the existing codebase.

[http://arstechnica.com/information-
technology/2014/04/openss...](http://arstechnica.com/information-
technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-
fork/)

Yes, it absolutely appears to be exploiting uncertainty for their own benefit.
Both in exposure and status ("I'm here to save the day"), but also in funding.
Theo, and I assume others, are paid by such funding, so it isn't quite so
benevolent.

Sticking "free software" in the description doesn't suddenly remove all normal
human motivations.

~~~
Aqueous
Yep - they could have just easily acted like team players instead of egoistic
contrarians and joined efforts with the OpenSSL team to help improve OpenSSL
along with the original developers. If they did that you'd probably see a lot
less criticism today. Instead, they chose to be assholes - and this is their
come-uppance.

Nothing says "This codebase is beyond repair" quite like forking a codebase
and repairing it.

~~~
vezzy-fnord
Acting like a team player doesn't get shit done. That's not how human
relations in free software development work. The improvements of OpenSSL that
the LibreSSL team envisioned required such massive code overhauls and deletion
of legacy functionality, plus certain modules for FIPS support that were
detrimental to security, that there was likely no way to do it all upstream.

------
andyzweb
here is some software that sucks less:
[http://suckless.org/](http://suckless.org/)

