8 Apr
2014
8 Apr
'14
3:35 p.m.
Arran Cudbard-Bell wrote:
To be fair OpenSSL don't seem to be taking security seriously, this should have been caught by static analysis... except that code only gets submitted to Coverity sporadically, and they don't like using it because of the high rate of false positives.
Valgrind is almost useless with FreeRADIUS && OpenSSL, because of the massive amounts of complaints about OpenSSL issues.
You know what causes high rates of false positives? Weird fucked up code...
Yes. Valgrind isn't perfect, but I'd be surprised if all of it's complaints about OpenSSL are wrong. Alan DeKok.