| ||Ask HN: Negative OpenSSL sentiments|
63 points by aggresswift on Apr 12, 2014 | hide | past | web | favorite | 48 comments |
|While I admit that the recent Heartbleed security issue is a critical issue, I am getting perpetually flummoxed by the 'I have the moral high ground' negative comments being thrown at the OpenSSL project & developers. Innumerable blogs and HN threads are taking the stand of 'how could they commit something like that', 'How idiotic was the committer', 'OpenSSL should not use a custom wrapper around malloc' and even taking personal shots at the two gentlemen who were referenced in the code.|
Mistakes were made in code and processes, mistakes will continue to be made in code. What we need is:
* A formal code review tool. I don't know whether there's something like review-board for OpenSSL commits.
* Donations to the OpenSSL foundation. C'mon folks, practically all your online security depends on OpenSSL (Cisco, Juniper, Extreme, Huawei, Google, Yahoo, Wikipedia: I am looking at you). A bit of money back to OpenSSL (and OpenSSH + friends) would go a long way. Personally, I think these tools ought to be getting way more than Wikimedia (Just my two cents)
* More eyes on the code. Whether it's refactoring the code, formal code audits or full time employees from the fortune 500 companies.
* You to commit. This is an open project. 20/20 retrospective bashing does no one favours. If you really feel strongly about something, get a patch out then start yammering about it.
* A security mailing list. Something similar to xen-security-announce. That way, major vendors, cloud providers, OS & distributions can get fixes baked by the time the general alarm is sent.
Applications are open for YC Summer 2019
| Apply to YC