Subject: Re: FreSSH
To: John Nemeth <jnemeth@victoria.tc.ca>
From: Michael G. Schabert <mikeride@mac.com>
List: current-users
Date: 03/08/2002 02:04:55
At 10:44 PM -0800 3/7/02, John Nemeth wrote:
>On Jun 23, 12:41pm, Greg A. Woods wrote:
>} [ On Thursday, March 7, 2002 at 20:45:53 (-0800), John Nemeth wrote: ]
>} >
>} > When you consider all the squawking that the OpenBSD crowd does
>} > about why their code is so secure because they audit it amongst other
>} > things, I want it to not have the bugs. SSH is an extremely important
>} > security related application. It shouldn't have security holes.
>}
>} Well it wasn't all their code to begin with, and I suspect a lot of it
>} has still not really been properly rewritten.
>
> I realise that. However, given the squawking they do about
>auditing and the importance the code, it should have been completely
>audited a long time ago.
I don't doubt that the entire code *has* been audited. However, I can
say with 100% certainty that you, John Nemeth, have looked over text
or code some time in your life, whether to proofread or debug, where
you've looked over the same pages over & over & not noticed an error,
and someone else gave it a gloss-over & saw a problem. It happens to
everyone. And in code, it's not exactly like proofreading, & C is
hardly our native language. And in complex code, you will undoubtedly
stare blankly at some point. Such is the nature of the beast.
>} And there is a _lot_ of it (code that is, in OpenSSH + OpenSSL). Almost
>} all code has bugs, and the more code there is the more bugs there are,
>} and the bigger and nastier they usually get.
>
> Not according to their marketing fodder. I do realise the
>validity of the above statement, but if they are going to make
>contradictory marketing fodder, then why not hold them to it?
We are holding them to it. They say they concentrate on security. We
say there's a security bug. They fix it within 3 days of first
notification. You won't see that out of Redmond or Cupertino.
Actually, on the Mac manager lists I'm on, many see this as a "test"
for the responsiveness of Apple for OSX/OSX Server, which has 3.0.2p1.
Mike
--
Bikers don't *DO* taglines.