Government agency dragging its heels on OpenSSL validation (NewsForge)

Posted Jan 24, 2006 2:29 UTC (Tue) by sveinrn (guest, #2827)
In reply to: Government agency dragging its heels on OpenSSL validation (NewsForge) by iabervon
Parent article: Government agency dragging its heels on OpenSSL validation (NewsForge)

Of course it is easier to validate when you have both the source and binary. But when you have the OpenSSL source it should be very easy to create a binary.

But as far as I can see, it should be possible to validate the code based on what the ISO standard for C99 (or some other standard if it is not written in C...) specifies that the code should do. And if the standard is ambiguous, one have to either demonstrate that all interpretations of the code allowed by the standard leads to the same result or replace the code.

It should not be necessary to compile and test the code with all supported compilers and every possible compiler option under all supported operatings systems running on all supported hardware platforms. If the code survives a validation at the source code level, any bugs left would have to be the result of a buggy compiler, library, OS or cpu.