Firewall Wizards mailing list archives
Re: FWTK and smap/smapd
From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 19 Jul 2002 14:05:27 +1000 (EST)
In some email I received from Marcus J. Ranum, sie wrote: [...]
I don't think audit works: there are more bad programmers than good programmers. So to audit all the code we'd have to stand down all the good programmers - who are the guys who get all the useful coding done anyhow. The entire software industry would collapse. Legend is this may already have happened.
While some may think the point I'm about to make is an example of how audit works, I think it shows quite clearly that it is "not enough". Earlier in the year, a bug showed up in mail(1) on OpenBSD. This particular bug was OpenBSD specific. Why? Because someone changed some code and reenabled this particular "feature". That this change made it into a general release shows that while they may audit reams of code, they don't audit their own changes very well (hence all of the OpenSSH bugs from "new features") before 'approving' them for general consumption by the public. When I dared to crossexamine them on this, nobody seemed particularly concerned and nothing was going to change in their software development methodology/life cycle. Audit fixes a bug once, it does nothing to make sure it stays fixed and it is an awfully big waste of time to have to reaudit stuff all the time. Darren p.s. The0 will hate you for not liking his "audit works" drugs :) p.p.s. Given the above I'd be inclined to take the Open*** crew of programmers out of the "good" pool, making it somewhat smaller. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Code reviews [Was: FWTK and smap/smapd], (continued)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: FWTK and smap/smapd Brian Hatch (Jul 19)
- Re: FWTK and smap/smapd Adam Shostack (Jul 17)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 18)
- Re: FWTK and smap/smapd Darren Reed (Jul 18)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Devdas Bhagat (Jul 17)
- Re: FWTK and smap/smapd Rick Murphy (Jul 17)
- Re: FWTK and smap/smapd Charles W. Swiger (Jul 17)
- Firewalls breaking stuff: [Was re: fwtk] Marcus J. Ranum (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Dominik Miklaszewski (Jul 18)
- Re: Firewalls breaking stuff: [Was re: fwtk] Charles W. Swiger (Jul 19)
- Re: Re: Firewalls breaking stuff: [Was re: fwtk] Paul Robertson (Jul 19)