Comment Re:Specious Argument (Score 1) 113
It was the lack of altruistic eyes scrutinizing it.
That was a secondary effect. People who might want to analyze code want to do a good job, and there's a lot of code worth analyzing.
To do that job there are tools that help with that analysis. OpenSSL's use of non-standard internal memory management routines makes it resistant to use of such analysis tools.
Is it impossible for a code auditor to keep everything in his head? No, but it's tough and error-prone. Some people have found OpenSSL bugs before, of course, but there are ways to make it easier for auditors to stand a fighting chance.
That's largely what the OpenBSD team is doing - ripping out all of that unneeded memory management crap, killing OS/2, VMS, and MacOS7 support code, etc. The payoff should be more people looking at it, but it sure wouldn't hurt for some companies that save millions by using OpenSSL to throw the team a few bones once in a while to make it more regular. Or hire their own internal folks to do the same, if that would work out better.