[TriLUG] Fwd: [ NNSquad ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Phil Smith mazphil57 at yahoo.com
Wed Mar 5 09:51:33 EST 2014


One insightful comments in the Ars Technica article:

"the [gnutls] code was clearly written by people who didn't know what they were doing, and it would take a complete rewrite *by competent programmers* to make it usable. The design was bad, not just the implementation".

There should be a site that has moderated reviews of all FOSS packages including gnutls.  (Filtering out comments from people that don't RTFM, etc.).  Apparently the "many pairs of eyeballs find defects" idea breaks down when the code is a big mess and is basically unreadable.  A good review site would flag the source as a mess with a security implications.  I remember a policy at a former employer that any software rated in the top 2% in defects was flagged for a complete redesign/rewrite rather than being patched any further, with the idea that the design and/or coding was probably not fixable.

Another purpose of a review site would be to flag dishonesty (currently, package authors provide their own descriptions).  For example, the "Gnash" and "Lightspark" plugins always claim to run "most Youtube Flash content" but in practice seem to run less than 5%.  (To be fair, no one who has ever worked on real Adobe Flash is allowed to contribute to Gnash).  If the community's limited resources could be placed on trouble spots and not "creating yet another [binary] distro.", we'd all be much better off.

Distros. themselves could be also be reviewed, for example, "Linux Mint achieved great popularity by ignoring EULA prohibitions on redistribution of proprietary plugins and drivers; by distributing these anyway, the end user feels that 'everything just works'".

Phil


More information about the TriLUG mailing list