top | item 30720073

(no title)

With these kind of changes I always wonder if they make the product more secure or less secure.

discuss

Cthulhu_|4 years ago

It's why I'm thankful it's both open source and highly scrutinized by the community, both volunteers, independent security researchers, and big companies like Google that deploy billions of instances of Linux (servers, google cloud, android, chromeOS, etc).

blcknight|4 years ago

The backdoored elliptical curves were vetted too…

bspammer|4 years ago

As Jason mentions, the most important contribution here is to make the code more readable and improve documentation.

But there are also some fairly unambiguous improvements - switching from SHA1 to BLAKE2 for extracting the random bytes for example.

mkesper|4 years ago

Yes, I think there's some points we can generalize for all software there:

- Readability counts. If you can't read the code, who could test or improve it?

- Documentation needs to be cared for near the code, only then you have a chance it's not outdated

- It's possible to improve correctness and efficiency at the same time (if your code is understandable)

- Use the literature available

- Code once holding high standards will need to be checked constantly too so it doesn't rot.

ape4|4 years ago

With this and Wireguard Jason is hitting it out of the park. I wonder what's next.

tptacek|4 years ago

In this case, more.