|
|
|
|
|
|
by jonstewart
4453 days ago
|
|
|
There are obviously systemic problems, like funding, corporate (and government) under-investment of time and talent, and implementing an imperfect standard. Those have a significant impact, to be sure. But bad code is bad code is bad code. And it doesn't take too much investigation of OpenSSL to realize it's not good code. To date the inertia of network effects has outweighed the badness of OpenSSL. Hopefully the Heartbleed fall-out will disrupt those network effects and get end-user developers to explore other implementations or spur renewed investment in improving OpenSSL. But it would be folly to continue on with the status quo. The Spolsky argument is that you should never throw working code away. Part of the reason for doing so is that you will have subtle business logic embedded in the old code. However, in the case of SSL, there's a specified protocol. So, if there's a codebase to be rewritten from scratch, it's one that's an implementation of a spec. |
|
|