Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How many of the people talking about 'many eyes' on HN feel that they would have spotted the Debian OpenSSL bug[1]? As far as I remember it was not spotted through code review, but because people discovered identical certs in the wild.

[1] https://www.schneier.com/blog/archives/2008/05/random_number...



It's possible someone could've - just the diff in itself was fishy, because it commented out two lines which added entropy, yet it was obvious from the diff alone that that the OpenSSL developers only thought one of them should be disabled to keep memory checkers happy.


This is an argument for vanilla distributions. The most sensible place for expert code review (a limited resource) is the upstream project. By comparison, distro modifications receive relatively little review. If the Debian patch had been mailed to openssl-dev, I doubt it would have quietly gotten "LGTM" replies and been picked up by a maintainer.


But "could have" is the theoretical defence. "Did" (or rather "didn't") is the real world test.

This is the whole point - OSS offers the potential to be safer but if there aren't qualified people with the skills and expertise digging into every nook and cranny of every bit of code.

Ironically it's like the security services say - they have to win every time to win, the terrorists only have to win once.

The community have to spot and fix every exploit to secure the system, the NSA only have to get one in to compromise it - and these aren't like accidental flaws, they're things the NSA will know are there, know the extent of and know precisely how to take advantage of them.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: