|
|
|
|
|
|
by ultramancool
3550 days ago
|
|
|
There's definitely some truth to this, FreeRADIUS is just not that valuable of a target since not many people have RADIUS exposed to the world, however if you look at other highly valuable targets like OpenSSH, which is probably in the top 10 if not the most valuable target in the world, you see far fewer significant exploits. It's definitely possible to have better quality than OpenSSL and a lot of OpenSSL's issues are due to legacy code and what amount to experiments being run in production software. |
|
|
https://www.openssl.org/news/secadv/20160926.txt
<sigh>
No one can reasonably say that the practices of the OpenSSL programmers result in secure code. No one can reasonably say that lots of people examining it later for defects is a good idea.
We have lots of legacy code in C. The only sane way to maintain it is tests: unit tests, functional tests, and static code analysis.
> a lot of OpenSSL's issues are due to legacy code
i.e. the OpenSSL people don't care to actively maintain / clean up their software.
What a depressing statement to make.