Hacker News new | past | comments | ask | show | jobs | submit login

Even if we assume that all of the code was written by the author of the post, it‘s much more helpful to reason about how the mistake happened than just bluntly saying „I made a mistake and it will never happen again.“ Because it will, at least if you don‘t understand where that mistake came from, what underlying assumptions were made and not documented at the time, how the code evolved so that the assumptions were no longer valid. All of the code that‘s involved in this bug probably seemed reasonable at the time, all decisions made have sound reasons. Making the non-constant-time code constant time? Reasonable security practice. Implementing the code in assembly for performance reasons? Sounds about right. Implementing the incomplete formulas? Makes sense, complete formulas were not available. And so on. Every step reasonable, and yet, a bug happened. And that‘s the valid learning, and I‘m fairly confident that most of us can learn from being reminded of that.



It's not about who wrote that code. It's about responsibility. If you are the maintainer of shitty code, then at the very least communicate that publicly. Don't come out with how bad your code is after the fact!

After he was responsible for that code for years, he now goes public and matter of factly states that all the code was shit the whole time.

Well why didn't he do anything about it then? What did he think the job description of being maintainer entailed?

Filippo wasted no time shitting on other crypto projects, like GnuPG, from what then looked like the high ground. And now he leaves Google and by the way the supposed high ground was an optical illusion (and that's the charitable phrasing).

My theory is that you people like this kind of story because it helps you cope with your own mediocrity. If Google and Golang have this kind of laissez-faire approach, why should I have higher standards? We'll just call it a life lesson as if it was handed down from heaven, as if things HAD to be this bad.

Sprinkle some "bugs happen to anyone" and "you can't have 100% security anyway" on top and your shit burger is finished.

Now feel free to downvote me, you hypocrites!


> Sprinkle some "bugs happen to anyone" and "you can't have 100% security anyway" on top and your shit burger is finished.

I mean, yeah. both of these statements are unconditionally true.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: