Hacker News new | past | comments | ask | show | jobs | submit login

I trust the OpenBSD team to get it right.



I'm going to quote somebody out of context. Please bear with me...

  What I am seeing is that we have a ridiculously upside-down trust
  model -- "Trust the developers".

  We never asked for people to trust us.  We might have "earned some" in
  some people's eyes, but if so it has always been false, even before
  this.  People should trust what they test, but the world has become
  incredibly lazy.

  We build this stuff by trusting each other as friends, and that is
  done on an international level.  If anything, the layers and volume of
  trust involved in software development should decrease trust. Oh
  right, let's hear some of that "many eyes" crap again.  [..]  All the
  many eyes are apparently attached to a lot of hands that type lots of
  words about many eyes, and never actually audit code. 

  If anything, the collaborative model we use should _decrease_ trust,
  [..]
Before anyone gets the wrong idea, I'm not trying to attack any individual here. But so many software vulnerabilities, goto fail included, Heartbleed included, have caused such angry response from people. That the bug was trivial. It should've been caught by static analysis, smart compilers, correct review process, careful third party readers, TDD, UFOs, ADHD, <insert favorite tech here>. It is easy to say all that in hindsight, because you are for most part right. So why weren't these techniques used?

You can't blame the developers for everything, they have work on their hands and you are not entitled to anything more from them. You also can't trust developers. If there's sloppy code, someone has to notice it and point it out. Someone has to fix it. If there are sloppy development practices and it is evident that the upstream developers do not care, someone has to notice that and let the world know. Then maybe create a fork and try to do better.

So anyone capable of reviewing code and diffs: please try to do it if you haven't before. Try to do more if you're already doing it. And remeber, you do not have to be an expert programmer to notice a duplicated goto fail line.

Or if you can write tests, why don't you contribute?

[quote] http://marc.info/?l=openbsd-tech&m=129261032213320&w=2




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: