Jens Christian Hillerup <j...@hillerup.net> writes: >So what do we do about this? Opening the source code as an argument >for security no longer suffices. How can we raise money for rigid and >independent quality assurance of software that in this case is >designed to potentially saving lives? And how can we make sure that >this money flows into the fund and out to the QAers on a regular >basis?
For what it's worth: OpenITP's Peer Review Board [1] is intended to help with exactly this. It's under development; Eleanor Saitta on this list can give a better sense of where things stand at this point, but I wanted to let you know the effort is under way. By the way, I don't agree with the original blog post's [2] ad hominem remarks about Cryptocat's developers. The most popular programs are always where people are most excited to find bugs. It's therefore hard to compare Cryptocat's development against that of other security projects, given that many of those projects are not as popular as Cryptocat -- in other words, it's hard to establish what the baseline is or should be. So I wish people would be more circumspect about flinging around words like "incompetent"; it just sets a bad tone and doesn't help anything. Cryptocat's response [3] is exemplary. -Karl [1] http://wiki.openitp.org/peerreviewboard:start [2] http://tobtu.com/decryptocat.php [3] https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
