lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200607170550.k6H5o3ix015220@caligula.anu.edu.au>
Date: Mon, 17 Jul 2006 15:50:03 +1000 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: gwc@....org (George Capehart)
Cc: bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft

In some mail from George Capehart, sie said:
> 
> <rant>
> This is truer than you know.  I've been writing code since 1974, and I
> see the same mistakes being made over and over and over and over . . .
> again.  Just as in wars, it seems that every generation is destined to
> make the mistakes that their elders made.  There is no industry-wide
> repository of "Lessons Learned."  Each generation is left to make the
> same mistakes over and over.  If one were to do a root-cause analysis,
> what would one find?  Programming courses teach grammar and syntax.
> They do not teach "safe programming."  (Except Crispin and Dave, of
> course . . .)  Programming managers are programmers who grew up and
> decided they'd had enough of the 80-hour weeks and wanted to become
> managers.  They don't know/care, either.  It's only when the "powers
> that be" decide that it's better business to deliver bug-free, secure
> code than shipping mostly-working code out the door that things will
> change.  Wanna take a bet on how long that'll be?
> </rant>

So, you seem the same mistakes being made over and over...

While I agree there isn't enough of "lessons learned" in programming,
I think this also applies to the people who develop languages.  The
unfortaunte case is that potentially the only languages that aren't
susceptible to being "exploited" are those like prolog/lisp, but who
uses them to write an application?

I think this is the case with PHP - it and the problem it is solving
needs to be reexamined and a better language developed that is written
with the actual target audience (and their skill levels) in mind.

Whilst I can't comment on what every project does, I'll comment on
what two projects do do in order to produce better code.
1) openbsd commits generally require the approval of two others
   when they're commiting code.  to what level the code is reviewed
   I can't say - it is all internal.

2) OpenSolaris projects will all post code changes to the Internet
   before code is committed to the project.  Review of that code is
   generally open for at least 2 weeks.  When it comes time to put
   that code into OpenSolaris, the review process requires the code
   team to enumerate and discuss every issue brought up.  Internally
   the goal is to try and select people who are faimilar with
   different areas/functionality to review code.  While management
   don't like all the delays, they're there for a purpose and the
   steps cannot be walked around, so they might grumble but they do
   accept it.

For other projects, people post diffs and there is a less formal
review process - and possibly only one person to decide yes/no.

If you want to be part of the solution, rather than just the rant,
feel free to join the opensolaris community and contribute ideas on
source code changes or how the processes work.  Doing open code
reviews is a process we are just starting to come up to speed with,
so there are no easy indexes of this activity available.

Darren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ