On Mon, Apr 14, 2014 at 12:59 PM, Patrick W. Gilmore <patrick@ianai.net> wrote: I applaud Akamai for trying, for being courageous enough to post code, and
for bucking the trend so many other companies are following by being more secretive every year.
Just to be clear, so do I! As I said, the end result was net positive - within hours the fact they made this code snippet "open source" resulted in it be available to many more eyeballs, and bugs in it being found. By releasing the code, Akamai has not only helped the community (at least as a starting point - even if their actual code had issues the concept is good and no doubt will be improved upon by the wider community), but helped themselves by discovering that they were operating under the mistaken impression that their SSL keys were safe when potentially they were not. On Mon, Apr 14, 2014 at 1:07 PM, Doug Barton <dougb@dougbarton.us> wrote:
Agreed ... review is good, comments on needed fixes are good, but saying that Akamai, "should not be sending out non-functional, bug ridden patches to the OpenSSL community" as Pinckaers did is not constructive.
Especially when the release specifically stated "*This should really be considered more of a proof of concept than something that you want to put directly into production*" and "*do not just take this patch and put it into production without careful review*." Akamai made mistakes here, but releasing what they obviously believed to be workable code in the way that they did wasn't one of them. Scott