Firewall Wizards mailing list archives
Re: Code reviews [Was: FWTK and smap/smapd]
From: Jim Duncan <jnduncan () cisco com>
Date: Fri, 19 Jul 2002 16:07:29 -0400
Marcus J. Ranum writes:
[...] And Carson was so darned insufferable about the patches he sent in that even though he was right I wished he'd go away. ;)
If it's any consolation, Carson treats everybody the same way. :-)
I think relatively few people look at the code nowadays - it's almost certainly lower proportionally than it used to be. But the number of eyeballs has, perhaps gone up. The whole concept of open source code review is very dubious to me, since the typical open source package is hugely bloated with features and portability hacks, comes with a convoluted "configure" script and - well - in the face of that why not just install the rpm?
It's amazing to me how much of my job falls in between Henry Spencer's observation, "Those who fail to learn from UNIX are condemned to re-invent it, poorly," and some other person who said, "There's a fixed amount of clue on The Net." (s/on The Net/in this industry/g) A huge number of the vulnerabilities and lackluster coding mistakes that I see are simply older errors repeated. Making the source code available for viewing by a wide audience doesn't guarantee that vulnerabilities will be found and fixed, but it does increase the likelihood that someone will notice a piece of code that looks like some old mistake reborn. My holy grail has been to divine some sort of genealogy for code snippets so I can track who worked with whom and who mentored with whom on various software projects. Then when I discover a programmer who consistently shoots from the lip with their pointer arithmetic, I can find the other software routines they've worked on, and (more importantly) I can find the other programmers who have learned the same dangerous coding style from this Typhoid Mary of software engineering. It is true that fewer people look at the code, and I think it undermines the assumption of the completely open source full disclosure crowd that users can protect themselves immediately if only they had full details. They can't. Most people have to wait on vendors and support people to test fixes and deploy changes, especially so in the more complex regulatory environment surrounding networking and the legal obligations affecting cyber commerce. Jim == Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc. http://www.cisco.com/warp/public/707/sec_incident_response.shtml E-mail: jnduncan () cisco com Phone(Direct/FAX): +1 919 392 6209 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FWTK and smap/smapd, (continued)
- Re: FWTK and smap/smapd Frederick M Avolio (Jul 17)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 19)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 19)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 19)
- Re: FWTK and smap/smapd Anton J Aylward, CISSP (Jul 19)
- Re: FWTK and smap/smapd Paul D. Robertson (Jul 19)
- Re: FWTK and smap/smapd R. DuFresne (Jul 19)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 19)
- Message not available
- Code reviews [Was: FWTK and smap/smapd] Marcus J. Ranum (Jul 19)
- Re: Code reviews [Was: FWTK and smap/smapd] Jim Duncan (Jul 19)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 22)
- Re: Code reviews [Was: FWTK and smap/smapd] ark (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: FWTK and smap/smapd Brian Hatch (Jul 19)
- Re: FWTK and smap/smapd Adam Shostack (Jul 17)