Forgot your password?

Comment: Re:Quatity is not quality (Score 1) 374

by drolli (#46799851) Attached to: OpenSSL Cleanup: Hundreds of Commits In a Week

Funny. I never suggested that i would use Java for this purpose, i just pointed out that i assume that the same level of coding tools exists for C (as you stated yourself).

Regarding the VM JIT vs. statically compiled Code + and big amount of interpreters: Yes, for high-security code i definitly prefer stattically compiled code. OTOH i point out that *most* of the JVM vulnerabilities were actually not in the low layer compilation but in the somehow weird assumption that security can be managed inside the same adress space by high-level language features (which implicitely assumes that libraries of arbitrry complexity with JNI code inside are all written perfect).

Comment: Re:Quatity is not quality (Score 4, Insightful) 374

by drolli (#46798711) Attached to: OpenSSL Cleanup: Hundreds of Commits In a Week

I cant talk for C, but in Java the tools which warn you about potentially dangerous constructs are great (e.g. Sonar). You can easily identify many *suspicous* contructs and change them to something more safe. 250 commits per week with 4 devs on a moderatly sized project do not see much to me, much at the "quality" and not the "quantity" side.

What annoys me is that - with all due respect - the companies which embed openssl in their products could have done a review of the code for quality. To me it seems that it's a fundamental library.

Comment: No. (Score 1) 188

by drolli (#46787971) Attached to: Heartbleed Sparks 'Responsible' Disclosure Debate

If i find a bug which is critical to my employer while being plaid by my employer, the first and only thing which is do is assess the impact to my emplyer, and identify the most important measures for the employers business.

IMHO they acted correctly: protect your own systems, and then the systems with the biggest impact.

Comment: Project management (Score 2) 162

by drolli (#46786355) Attached to: Oracle Deflects Blame For Troubled Oregon Health Care Site

I am working as a consultant.

My good advice to every customer is: dont buy consultant work as time and material. Buying as time and material puts the wrong incentives to everybody:

-Your own people will feel that they still can just use them as normal workers and keep all decisions (and thus responsibility) to themself

-The consultants dont care, since just doing what your own people tell them without thinking is what gets their monthly timesheets signed. If something goes wrong they can even sell more hours, not less

-The consulting company does not care (and rigthly so since that was not what you asked for) and will send you inexperiences junior consultants wherever possible.

-Coding quality has to be reviewd by your own people (or just accepted as it is)

-Your own people are usually vastly inferior at project management in comparison to the average senior consultant - in a non T&M contract the usual situation is that you get the things done in time or you will loose money.

Comment: Chernobyl was not a meltdown (Score 1) 217

by drolli (#46785975) Attached to: MIT Designs Tsunami Proof Floating Nuclear Reactor

Chernobyl would not have been prevented by putting the reactor in water. It was the only accident which had a "nuclear power excursion" as the reason. TMI and Fukushima were a failure of the classical cooling.

In Chernobyl the operators ignored the normal precautions. They operated the fuel in a state where xenon (see http://hyperphysics.phy-astr.g...) was present. Due to this the system was far away from the assumed stable oprtion point assumed in the controls.

The power which you would have needed to dissipate at the event to cool the reactor would have been ong the order of 200GW. Normal heat transfer coefficients are on the order of 10s of KW/m^2/K if i assume that you allow 200K difference on the surface, you end up at an active cooling surface of 100000m^2, which just is not there, not even if you drop the reactor into water.

Comment: Controlling? (Score 1) 693

by drolli (#46741761) Attached to: The GNOME Foundation Is Running Out of Money

Lat me get this right (from their wiki page):

GNOME, as the lead organization, has been responsible for managing the finances for the entire effort. However, as the program grew, the processes did not keep up. The changes were not tracked effectively from the point when other organizations joined the OPW. This impacted not only our ability to manage the OPW administration, but also to keep up with the core financial tasks of the Foundation -- tasks which already needed the full attention of the Foundation's employees and the board.

So other organizations accepted liabilities which were automatically transferred to GNOME Foundation? or they plainly lost track? Or they did not caclulate before what limit for accepting students there is?


Did they - by spending money on a side track -fuck up an organization which should - given the situation about people not bein happy with they main project - focus on stakeholder management? I mean it's not like that job is not important for the FOSS community. And wo me it seems that the exeution of the job leaves some things to be desired.

Comment: national security (Score 1) 134

by drolli (#46740405) Attached to: Obama Says He May Or May Not Let the NSA Exploit the Next Heartbleed

The national security interest would be to patch the hole, not to leave it open. This hole was to easy to exploit, and supposedly enabled identity theft on a massive scale, even to vastly infereior intelligence services.

The comparison with the centrifuges in Iran is misleading. for that combination of attacks it is very hard even to find suitable experts to generate the code.

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis