| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jul 2006 15:50:03 +1000 (Australia/ACT) From: Darren Reed <avalon@...igula.anu.edu.au> To: gwc@....org (George Capehart) Cc: bugtraq@...urityfocus.com Subject: Re: LAMP vs Microsoft In some mail from George Capehart, sie said: > > <rant> > This is truer than you know. I've been writing code since 1974, and I > see the same mistakes being made over and over and over and over . . . > again. Just as in wars, it seems that every generation is destined to > make the mistakes that their elders made. There is no industry-wide > repository of "Lessons Learned." Each generation is left to make the > same mistakes over and over. If one were to do a root-cause analysis, > what would one find? Programming courses teach grammar and syntax. > They do not teach "safe programming." (Except Crispin and Dave, of > course . . .) Programming managers are programmers who grew up and > decided they'd had enough of the 80-hour weeks and wanted to become > managers. They don't know/care, either. It's only when the "powers > that be" decide that it's better business to deliver bug-free, secure > code than shipping mostly-working code out the door that things will > change. Wanna take a bet on how long that'll be? > </rant> So, you seem the same mistakes being made over and over... While I agree there isn't enough of "lessons learned" in programming, I think this also applies to the people who develop languages. The unfortaunte case is that potentially the only languages that aren't susceptible to being "exploited" are those like prolog/lisp, but who uses them to write an application? I think this is the case with PHP - it and the problem it is solving needs to be reexamined and a better language developed that is written with the actual target audience (and their skill levels) in mind. Whilst I can't comment on what every project does, I'll comment on what two projects do do in order to produce better code. 1) openbsd commits generally require the approval of two others when they're commiting code. to what level the code is reviewed I can't say - it is all internal. 2) OpenSolaris projects will all post code changes to the Internet before code is committed to the project. Review of that code is generally open for at least 2 weeks. When it comes time to put that code into OpenSolaris, the review process requires the code team to enumerate and discuss every issue brought up. Internally the goal is to try and select people who are faimilar with different areas/functionality to review code. While management don't like all the delays, they're there for a purpose and the steps cannot be walked around, so they might grumble but they do accept it. For other projects, people post diffs and there is a less formal review process - and possibly only one person to decide yes/no. If you want to be part of the solution, rather than just the rant, feel free to join the opensolaris community and contribute ideas on source code changes or how the processes work. Doing open code reviews is a process we are just starting to come up to speed with, so there are no easy indexes of this activity available. Darren
Powered by blists - more mailing lists