undefined | Better HN

0 pointsawongh2mo ago0 comments

Wow, also this:

> The OpenSSL project does not sufficiently prioritize testing. [... ]the project was [...] reliant on the community to report regressions experienced during the extended alpha and beta period [...], because their own tests were insufficient to catch unintended real-world breakages. Despite the known gaps in OpenSSL’s test coverage, it’s still common for bug fixes to land without an accompanying regression test.

I don't know anything about these libraries, but this makes their process sound pretty bad.

0 comments

2 comments · 2 top-level

kccqzy2mo ago

This quote about testing is way worse:

> OpenSSL’s CI is exceptionally flaky, and the OpenSSL project has grown to tolerate this flakiness, which masks serious bugs. OpenSSL 3.0.4 contained a critical buffer overflow in the RSA implementation on AVX-512-capable CPUs. This bug was actually caught by CI — but because the crash only occurred when the CI runner happened to have an AVX-512 CPU (not all did), the failures were apparently dismissed as flakiness.

wavemode2mo ago

OpenSSL is (famously) an extremely terrible codebase.

It's likely that over the long-term the tech industry will replace it with something else, but for now there's too much infrastructure relying on it.

j / k navigate · click thread line to collapse