[Alupis]

It's code. There are no secrets.

Problems come up when nobody reads the code. Right now, there's an awful lot of people reading this code (Given the strange warning's posted on the TC site).

[SoftwareMaven]

That's a fine attitude for normal code, but crypto is a whole different ball game. Linux security was significantly reduced at one point because somebody changed int i to int i=0, something most developers would thing is a positive. Side channel attacks are extremely easy to create and extremely hard to find. And, unfortunately, the "many eyes" thing doesn't work here because it requires experienced, knowledgable eyes, and there aren't enough of those, and they are usually busy getting paid, researching how to break software or building their own stuff.

[quasque]

> Linux security was significantly reduced at one point because somebody changed int i to int i=0

Could you please elaborate on this one?

[SoftwareMaven]

It's been a while. I should have restricted it to Debian: http://jblevins.org/log/ssh-vulnkey

[nikbackm]

Seems to me they relied on the uninitialized memory of a stack variable as a partial source of randomness for key generation.

Initializing the variable with 0 removed that part.

[quasque]

Your explanation makes sense. Though I'm still curious as to when this happened and what the impact was.

[andygates]

[fridge brilliance] Maybe, after the OpenSSL debacle, they realised that the only way to make a truly secure product was to get a lot of eyeballs on the code, hence the dramatic diva flounce to grab attention... [/fridge brilliance]