[cryptography] Just how bad is OpenSSL ?
noloader at gmail.com
Tue Oct 30 07:58:55 EDT 2012
On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <ben at links.org> wrote:
> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <case at sdf.org> wrote:
> Apparently you think the best way to get a secure platform is to apply
> pressure through pointless security standards. I'd suggest your
> efforts might be better spent supplying patches instead. Or, y'know,
> talking to the authors of the s/w in question. You never know, they
> might care.
Ah, OK. My bad.
I've tried supplying patches and filing bug report/enhancement requests.
Here was a gentle patch for spelling corrections in a README -
Here was a patch for Xcode awareness - rejected (is it fair to say
when its sites for years without acknowledgement?).
I can't locate a bug report on the use of the uninitialized data.
Perhaps I had the discussion on the developer's mailing list (I know
I'm not imagining it, so my apologies).
I am also aware that patches existed for some time for CCM mode, GCM
mode, and SRP. In the case of GCM, IBM supplied the patches 5 or 10
years earlier. None were acted upon.
The project does not appear to want outside help. If I am drawing the
wrong conclusion, please forgive me.
More information about the cryptography