[OT] Windows dying
Shachar Shemesh
shachar at weka.io
Thu Nov 2 09:38:21 UTC 2017
On 02/11/17 07:13, H. S. Teoh wrote:
> There is another side to this argument, though. How many times have
> *you* reviewed the source code of the software that you use on a daily
> basis? Do you really*trust* the code that you theoretically*can*
> review, but haven't actually reviewed? Do you trust the code just
> because some random strangers on the internet say they've reviewed it
> and it looks OK?
This question misses the point. The point is not that you, personally,
review every piece of code that you use. That is, if not completely
impossible, at least highly impractical.
The real point is that it is *possible* to review the code you use. You
don't have to personally review it, so long as someone did.
I think the best example of how effective this capability is is when it,
supposedly, failed: OpenSSL and HeartBlead.
Recap: some really old code in OpenSSL had a vulnerability that could
remotely expose secret keys from within the server. The model came under
heavy criticism because it turned out that despite the fact that OpenSSL
is a highly used library, it's code was so convoluted that nobody
reviewed it.
The result: a massive overhaul effort, lead by the OpenBSD team, which
resulted in a compatible fork, called LibreSSL.
In other words, even when the "many eyes" assumption fails, the recovery
is much faster than when the code is close.
Shachar
More information about the Digitalmars-d
mailing list