On Mon, Jul 8, 2013 at 4:34 AM, Maxim Kammerer <m...@dee.su> wrote: > On Mon, Jul 8, 2013 at 4:34 AM, Tom Ritter <t...@ritter.vg> wrote: >> As one of the people on this list who does paid security audits, I >> both want to, and feel obligated to, weigh in on the topic. > > Thanks for your insight into code review process. Besides perhaps > insinuating that Veracode didn't do their job properly, I don't see > how it is in any way relevant to the Cryptocat incident discussed ITT. > [...] > There is absolutely nothing I can learn from this incident.
If it's all old review for you, I hope you will share even more specific suggestions for others. CryptoCat has been a useful object lesson, but already there is no shortage of threads for waggling the finger of shame and personal criticisms. It helps that the discussion goes to a more general discussion of review approaches and precautions. Tom's was the first message of the thread that was useful to forward to my own project. Some specific suggestions are now tasks in our bug tracker. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech