On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <b...@links.org> wrote: > On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> On Fri, Oct 26, 2012 at 2:29 PM, John Case <c...@sdf.org> wrote: >>> >>> [SNIP] > > Apparently you think the best way to get a secure platform is to apply > pressure through pointless security standards. I'd suggest your > efforts might be better spent supplying patches instead. Or, y'know, > talking to the authors of the s/w in question. You never know, they > might care. Ah, OK. My bad.
I've tried supplying patches and filing bug report/enhancement requests. Here was a gentle patch for spelling corrections in a README - rejected. http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2401. Here was a patch for Xcode awareness - rejected (is it fair to say when its sites for years without acknowledgement?). http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2402. I can't locate a bug report on the use of the uninitialized data. Perhaps I had the discussion on the developer's mailing list (I know I'm not imagining it, so my apologies). I am also aware that patches existed for some time for CCM mode, GCM mode, and SRP. In the case of GCM, IBM supplied the patches 5 or 10 years earlier. None were acted upon. The project does not appear to want outside help. If I am drawing the wrong conclusion, please forgive me. Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography