top | item 20196059

(no title)

dfrage | 6 years ago

> The key idea: that he is an ILBP (or has been in 10 years) is absurd. He is not....

This attitude denies support to projects like NTPsec, for which he's the technical lead, your take on this concept only applies to current maintainers of existing projects.

Even then, he's converting GCC to git, the latter indirectly bears a great deal of "Internet Load".

discuss

KirinDave|6 years ago

I deny support for NTPsec specifically because I think it's an idea who's time has passed and now soldiers on because of inertia rather than good sense. It's sort of a meme that any project ending in "sec" is vestigal.

So no: they don't get my support. Why would they? Same with DNSsec. Useless project, please desist.

tptacek|6 years ago

Can I just use this spot to remind everyone that when one of his commenters found an integer handling bug in the ntpsec codebase, Raymond said "I will neither confirm nor deny that I left it in there deliberately to see who would be sharp enough to spot it".

You can find it in the thread on his blog post titled (I am not making this up) "Thinking like a master programmer, redux".

Another fun fact: Cure53 audited ntpd and ntpsec concurrently, and found an instance where ntpsec rewrote a function and managed to regress out a patch for a security vulnerability, reintroducing it into their codebase. (By the way: overwhelmingly, with I think just one exception --- not counting the regression above --- the significant findings in that report applied uniformly to both ntpsec and ntpd).

Additional fun: until 2017, the ntpsec project apparently didn't even enable system/runtime mitigations like ASLR (according to the "Fix/Validation log" in the Mozilla SOS project).

Conclusion of that report: "While the NTPsec project emphasizes cleaning up its ancestors’ flaws, the difference regarding quality between the original code and the current implementation was not as great as anticipated."

unknown|6 years ago

[deleted]