Re: How regularly is the GnuPG source code examined?
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 09/27/05
- Next message: Milan VXdgsvt: "Re: Re-rolled Salsa20 function"
- Previous message: tomstdenis_at_gmail.com: "Re: How regularly is the GnuPG source code examined?"
- In reply to: Alun Jones: "Re: How regularly is the GnuPG source code examined?"
- Next in thread: Unruh: "Re: How regularly is the GnuPG source code examined?"
- Reply: Unruh: "Re: How regularly is the GnuPG source code examined?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Sep 2005 21:58:57 +0000 (UTC)
Alun Jones wrote:
>"David Wagner" <daw@taverner.cs.berkeley.edu> wrote in message
>> Do you remember some of the prior PGP bugs, like the one where the
>> randomness
>> source wasn't read because a return value wasn't checked? Stuff like that
>> could slip past a code review, whether or not you have comments and coding
>> conventions.
>
>Good tools help that, though. Marking return values as "must be checked",
>and then checking that all "must be checked" return values _are_ checked is
>a must-have on a source analysis tool.
I think you are missing the forest for the trees. Maybe if you work
at it you can eliminate that one particular instance of security hole,
but this by no means will eliminate all security holes. Even if you
use such a tool, I believe it will still likely be possible for a
determined, motivated, knowledgeable insider to insert a backdoor that
goes undetected.
- Next message: Milan VXdgsvt: "Re: Re-rolled Salsa20 function"
- Previous message: tomstdenis_at_gmail.com: "Re: How regularly is the GnuPG source code examined?"
- In reply to: Alun Jones: "Re: How regularly is the GnuPG source code examined?"
- Next in thread: Unruh: "Re: How regularly is the GnuPG source code examined?"
- Reply: Unruh: "Re: How regularly is the GnuPG source code examined?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
