On Fri, Sep 6, 2013 at 6:02 PM, Tim Bray <tbray@xxxxxxxxxxxxxx> wrote:
--
Website: http://hallambaker.com/
How about a BCP saying conforming implementations of a wide-variety of security-area RFCs MUST be open-source?*ducks*
And the user MUST compile them themselves from the sources?
Nobody runs open source, (unless its an interpreted language). They run the compiled version and there is no infrastructure to check up on the compilation.
Nor does being open source provide any additional security, only review provides security and it is hard enough getting people to review other people's code when you pay them to do that. Expecting people to spend their time reviewing other people's code for fun is naive. Kerberos had a major architectural flaw that went unnoticed for over a decade.
Website: http://hallambaker.com/