On Thu, Apr 16, 2020 at 12:50 PM Aapo Talvensaari aapo.talvensaari@gmail.com wrote:
On Thu, Apr 16, 2020 at 12:44 AM Jeffrey Walton noloader@gmail.com wrote:
...
I agree with Tim. If project is of any importance, as I think Nettle is, there is no problem in finding a new maintainer in case it is needed.
If Niels dies then here is what happens (sorry Niels)...
Nettle at Lysator becomes stale over time and bugs won't get fixed because no one has access to the sources. Most users will continue to use Lysator because that is what search engines return.
I'll fork and fix OS X. Some users will use my fork.
Tim will fork and add curve448 stuff. Some users will use Tim's fork.
Now you have three different forks and the only official source is proverbially dead. Forking has turned the Maven [in]security problem into hundreds of additional problems.
The loader is brain dead and can't figure out which library a program compiled/linked against. The shared objects are not interchangeable so users get enjoy a DoS.
Planning to avoid problems like these are usually outside of a developers forte. Folks like Management, Security Engineers and Security Architects worry about the big picture items, like ensuring continuity.
Peter Gutmann has a really good book that discusses topics like these, see Engineering Security, https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf. Another good book is Ross Anderson's Security Engineering, https://www.cl.cam.ac.uk/~rja14/book.html.
Jeff