From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP>
Newsgroups: comp.lang.ada
Subject: Re: How to get Ada to ?cross the chasm??
Date: Mon, 30 Apr 2018 17:18:32 -0000 (UTC)
Organization: A noiseless patient Spider
Message-ID: <pc7j58$55o$1@dont-email.me>
References: <1c73f159-eae4-4ae7-a348-03964b007197@googlegroups.com>
 <dbcb51b9-8ab9-4d39-bb70-47fdb15ebfd8@googlegroups.com>
 <pb7eii$bf1$1@dont-email.me>
 <b75ad71f-a917-4638-9b38-ccfe69b04e53@googlegroups.com>
 <slrnpdpiv9.ntv.address@is.invalid> <pbr3mi$leu$1@franka.jacob-sparre.dk>
 <87k1su7nag.fsf@nightsong.com> <pbtlno$3k2$1@franka.jacob-sparre.dk>
 <87po2la2qt.fsf@nightsong.com> <87in8buttb.fsf@jacob-sparre.dk>
 <3f7a7f76-c5eb-4cba-9051-6b5dfeeb906c@googlegroups.com>
 <pc3ttr$eua$1@dont-email.me> <pc74cg$lkg$2@dont-email.me>
 <pc7hsl$tpt$2@dont-email.me>
Injection-Date: Mon, 30 Apr 2018 17:18:32 -0000 (UTC)
Injection-Info: reader02.eternal-september.org;
 posting-host="5fbe5ccb78aa158b6c5d3b7d02c542a0";
	logging-data="5304"; mail-complaints-to="abuse@eternal-september.org";
	posting-account="U2FsdGVkX1/v7sWPFYd/ELOerGclIbbFiaPLqCCHLYc="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:775h9PpN3zAbE8IUjJcqnQ/jpx8=
Xref: reader02.eternal-september.org comp.lang.ada:51846
Date: 2018-04-30T17:18:32+00:00
List-Id: <comp.lang.ada>

On 2018-04-30, Jeffrey R. Carter <spam.jrcarter.not@spam.not.acm.org> wrote:
> On 04/30/2018 03:06 PM, Simon Clubley wrote:
>> 
>> Software does become stale when it starts getting probed for security
>> issues in new ways and you need to fix the security issue that laid
>> unfixed or years or even decades and maybe do a redesign to fix any
>> underlying problems.
>
> S/W that is correct and reliable has no security issues, by definition.
>

There is a difference between that and software that you just _think_
is correct and reliable.

>> This is a CLI, not a library, but it demonstrates the point:
>> 
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17482
>> 
>> That's something I discovered and yes, that's a DCL vulnerability
>> that laid undiscovered in VMS for 33 years until I found it.
>
> That S/W didn't become stale; it was always incorrect and unreliable.
>

It was an example of how security issues can live undetected for
a very long time in heavily used production code until someone
probes the software in a new way for security issues.

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world