On 6/2/24 07:42, Rich Pieri wrote:
Numbers of lines of code does not correlate with attack surface.
Neither does code complexity.
Silliness.
Lines of code isn't identical to the size of the attack surface, but it
has to be strongly correlated, the same way that not wearing a seat belt
isn't identical to "you will die in a car crash", but it is strongly so
correlated. I can't say I have seen studies to prove it, but I have
personally seen that more lines of code means less is known about what
is really going on inside that code, which means lower odds that the
right (and safe) stuff is going on in there.
- The fact that test and build processes are intertwined and so
complicated that they can't be trusted to produce the right output—and
people apparently think this complexity is a reasonable state of
affairs—should be an embarrassment, not an excuse.
- The fact that people might want to make systemd happier by patching
OpenSSH should be an embarrassment, not an excuse. (The fact that anyone
would patch OpenSSH at *all* should be an embarrassment.)
- The fact that it was possible for any bad guys to thread through this
chaos and plant a backdoor in sshd (sshd!) should be taken as evidence
that it is a horribly embarrassing mess, not an excuse.
-kb
P.S. And to unfairly beat up on the proverbial "some random person in
Nebraska": The fact the the xz test code is so obscure that no one
understands it should be embarrassment, not an excuse. (Test code should
be simpler than the stuff it is testing.)
_______________________________________________
Discuss mailing list
Discuss@driftwood.blu.org
https://driftwood.blu.org/mailman/listinfo/discuss
