Re: I can't believe how much this sucks

[Marco Molteni (mmolteni)]

Another amen.

I am a professional programmer. I am grateful for OpenSSL. At the same
time, each time I have to use it directly (as opposed to use a few of the
good C++ wrappers) I know I will be going down to hell and fight for my
life, and when I will come back, my hairs will be grayer :-)

Lack of good documentation is a problem for any software library, but in
this case lack of documentation can also cause security vulnerabilities
because the user of the API misunderstood it.

As Charles, I propose as food for though the very recent, very good paper
on the security risks of (among other things) wrong APIs and wrong
documentation:
"The Most Dangerous Code in the World: Validating SSL Certificates in
Non-Browser Software",
available at http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

marco.m

On 13.11.2012 19:49 , "Charles Mills" <charl...@mcn.org> wrote:

>AMEN!
> 
>Why is it easier to answer dumb question after dumb question here rather
>than to document the darned product once? (Never mind the cumulative
>labor of all the
> programmers trying to figure out and debug the same problems again and
>again and again, all over the world.)
> 
>Consider
>http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf. Doesn’t *some* of the
>responsibility for these (severe and scary!) problems fall on the lack of
>clear documentation?
> 
>It’s a GREAT product and I love it and am grateful but why after years
>and years do the man pages still say “under construction”?
> 
>Charles

:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���