hudebnik: (teacher-mode)
hudebnik ([personal profile] hudebnik) wrote2014-04-14 08:48 am
  • Add Memory
  • Share This Entry
Entry tags:

Heartbleed

Thanks to [livejournal.com profile] jducoeur, this link to XKCD's explanation of the Heartbleed bug.

OMG: I didn't realize it was this simple and stupid. Reason #738 why no production code should be written in C or C++.
Flat | Top-Level Comments Only

[identity profile] goldsquare.livejournal.com 2014-04-14 01:51 pm (UTC)(link)
Code Review did not find it here.

If there was Code Review, if the code review was professionally done...

Quality Engineering is a fraught existence: when we find and fix bugs, we get no plaudits, but miss one damned thing: and we get hung by the neck until dead, while the developer that put the bug in there only gets spanked. :-)

The right tool for the job is the right tool: and sometimes that right tool is a language that permits buffer overruns and illegal pointer dereferencing, but which provides other language features that are advantageous.

It's all about balancing risks properly.

I would proffer that, given the incredible importance of this software, as it relates to critical infrastructure, it sure would have been nice if it had gotten more and better attention.

[identity profile] metahacker.livejournal.com 2014-04-14 02:16 pm (UTC)(link)
The code reviewer has come forward, along with the bug author.

[identity profile] goldsquare.livejournal.com 2014-04-14 02:19 pm (UTC)(link)
I know.

I thought that was a very good thing, frankly.

Although if they had not, GIT would have done it for them. :-)
Flat | Top-Level Comments Only