OpenSSL bug sparks new development

by
in code on (#3HX)
The Heartbleed bug has sparked new interest in cleaning up the OpenSSL code base. As evidenced by OpenBSD's CVS repository, the team has started removing old platform specific code, style inconsistencies, non-free hardware crypto engines, and dubious wrappers from the library. Perhaps the best side effect of the Heartbleed bug will be a much cleaner and more secure OpenSSL package.

Ed. note: So, is a catastrophic and highly public failure what it takes to catalyze action in some projects? And if so, which other projects are in need of some energizing disaster?

Update: The mentioned cleanup is taking place in the OpenBSD CVS repository. The official OpenSSL repository information can be found at http://www.openssl.org/source/repos.html

Most of these problems already have partial solutions (Score: 4, Informative)

by fatphil@pipedot.org on 2014-04-15 14:08 (#12V)

Whilst it doesn't apply to heartbleed, large number of problems can be detected with static analysis.

OK, Coverity doesn't (yet) spot heartbleed, but it soon will:
: http://security.coverity.com/blog/2014/Apr/on-detecting-heartbleed-with-static-analysis.html

OpenSSL have a history of deliberately ignoring the results of such scans:
: http://openssl.6102.n7.nabble.com/Coverity-coverage-of-OpenSSL-td42651.html

I agree that the false positives are annoying, but you can mark them as false positives, and you won't be warned about them again.
Post Comment
Subject
Comment
Captcha
Yesterday was Saturday. If this is true, what day is today?