Now I could start this with attacking the notorious Seggelmann/Henson bug-team. And probably that would be justified to a certain extent. But I won't. Well. Not beyond the introduction that is.
So let's roll over the two and then get to the ugly part.
Seggelmann and Henson did it again. A rather stupid - and not that much different - bug hit OpenSSL again. Coding fuck up. Review fuck up. We know that drill already.
I really dig this one here
/* They must be playing with us! BTW, failure to enforce
* upper limit would open possibility for buffer overrun. */
Really? Maybe the failure was to mention this incidentally? Would it have worked better as a standard C threat?
/* Bitches not checking boundaries will be water boarded! */
Well. It would have been better to actually place that comment a couple of lines earlier. But sometimes even prophets are a bit late to the game.
Half of the net is raging again. I bet Seggelmann would love to have a time-machine. Henson probably as well. I for sure would. Both didn't do their job. Errors happen. These shouldn't.
But is it their fault that half of the fucking world uses a project that's pretty much a spare-time-two-guys-and-some-volunteers project? No it's not. What exactly do we expect? A full time job delivered for free so big-money can save a couple of rather lousy dollars?
One would assume that a project that's pretty much essential for quite a few irons could get financial and actual staff support. Wouldn't you? I know. Ridiculous idea.
But since Henson makes a buck with OpenSSL consulting ... that's totally going to fly.
Price question: If Henson makes a buck with consulting? What is he probably not doing?
Now it could be that they never asked for it or never actually got that idea. But shouldn't I ask myself how the fuck they are doing it? Maybe it's a virgin birth.
I do that all the time. My stuff just happens to come into shape on its own. I simply command it to exist. Now don't tell that customers because they'd request a discount based on charged hours. But it's true. I sit on the porch, watch the pool and when I get a call I just command the code to be.
OpenSSL is pretty much a full time job...for a couple of guys who are actually qualified. And somehow they need to get paid. An amazing revelation isn't it? Who would have thought of that?
Well. Obviously someone did now. More on that later.
OSS is that and just that. Open source code. Mostly it's also more or less free to use. Depending on the license. With libraries like OpenSSL open source is not really a matter of choice. It is essential. If you are using this project in your project and you're making a huge fucking buck off of it you are actually supposed to support it.
Ain't I a bitch? How could I possibly suggest supporting some fuckers with your hard earned money, that you partially happen to make off of their work? That's a dangerously slippery slope we're on here. Yes you'd be paying for all the others too. I know. Big deal. Big tears.
Really? Google? The rest of you cheapskates buying crap shit for 4 billion dollars a piece? Anyone got the feeling I might be pointing your direction? No? Well I do.
So who got that let's pay them idea a little bit late in the game? The Linux Foundation. They are planning to pay or are already paying two full time developers and are paying for a security audit of OpenSSL. One of the two is Henson. This is good news. But it comes very late and it's not much. I'd estimate that OpenSSL has at least 3 more slots to be filled. Specifically after the open crypto audit started its work. My guts and spaghetti-code sensors are telling me there's room for a few more issues. And if you look at who the linux foundation is it isn't really too much to ask for. It's pretty much everyone. The 8 platinum members are all heavyweights and that list doesn't even include Google and Cisco who happen to be just gold members or the estimated 50 silver members which include Yahoo, Twitter and VMWare. It's really pretty much about everyone. Not everyone on that list relies equally on OpenSSL but many have substantial benefits.