Michael Nygard · Apr 7, 2014 · 9:30 PM UTC

Michael Nygard @mtnygard

7 Apr 2014

Serious question: is it better to rewrite a library that's had a lot of implementation problems, or is it better to keep hardening OpenSSL?

Stefan Tilkov · Apr 7, 2014 · 9:42 PM UTC

Stefan Tilkov @stilkov

7 Apr 2014

@mtnygard Well, you know about Things You Should Never Do (Part I): joelonsoftware.com/articles/…

Michael Nygard · Apr 7, 2014 · 9:43 PM UTC

Michael Nygard @mtnygard

7 Apr 2014

@stilkov Yep. Except when you should.

Stefan Tilkov · Apr 7, 2014 · 9:45 PM UTC

Stefan Tilkov · Apr 7, 2014 · 9:45 PM UTC

Stefan Tilkov @stilkov

7 Apr 2014

Replying to @mtnygard

@mtnygard Right. But a security lib especially strikes me as the sort of thing that gets a lot of value from a decade or two of bug fixes

Apr 7, 2014 · 9:45 PM UTC

Michael Nygard · Apr 7, 2014 · 9:46 PM UTC

Michael Nygard @mtnygard

7 Apr 2014

Replying to @stilkov

@stilkov I would _almost_ always agree, but for some opinions from people I respect who say OpenSSL is unsalvageable.

Michael Nygard · Apr 7, 2014 · 9:46 PM UTC

Michael Nygard @mtnygard

7 Apr 2014

Replying to @stilkov

@stilkov I'm not qualified to evaluate it myself.

Stefan Tilkov · Apr 7, 2014 · 9:48 PM UTC

Stefan Tilkov @stilkov

7 Apr 2014

@mtnygard I can’t either, but it’s probably true that a security lib is a particularly bad place for too much legacy-related complexity