> any special case changes for testing means you're not testing the REAL > CODE.
You mean you're not testing *all* of the real code. That's fine, you can't debug everythign at once. > for example if you build -DPURIFY then you also won't get notified of > problems with other PRNG seeds which are supposed to be providing random > *initialized* data. not to mention that a system compiled that way is > insecure -- so you either have to link your binaries static (to avoid the > danger of an insecure shared lib), or set up a chroot for testing. Right, but you know that. So you don't build with -DPURIFY if you care about things that it affects. But sometimes you care about other things. > in any event YOU'RE NOT TESTING THE REAL CODE. which is to say you're > wasting your time if you test under any of these conditions. You seem to think that code is one monolithic thing that doesn't consist of component parts. In fact, code does consist of component parts, and the code your actually testing may be a different component from the one you change the compilation flags on. > openssl should not be relying on uninitialized data for anything. > even if > it doesn't matter from the point of view of the PRNG, it should be pretty > damn clear it's horrible software engineering practice. No, it's not pretty damn clear. The only reason it might be horrible is because it makes the code less predictable. But in this case, predictability is explicitly undesired. Perhaps you can make a coherent argument why it's bad in this particular case, but I doubt it. This is the opposite of the typical case. > -dean Good luck finding people who agree with you. I've been a professional software developer for about 18 years and I've worked on debugging with hundreds of other developers. I have *never* met anyone who shared your view. In fact, it strikes me as sheer craziness. It is akin to saying that debuggers should not exist. After all, the release program won't run with a debugger, so how can you debug with one? Clearly every difference between the test environment and the use environment is a trade-off. But being a competent engineer is about making rational trade-offs. I could go into more detail with real-world examples how following your advice above would have turned very simple efforts into Herculean ones, but what you're saying is so obviously absurd, I can't see how it could possibly be worth the effort. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]