Author

Topic: Code review of standard client? (Read 856 times)

full member
Activity: 182
Merit: 100
November 17, 2013, 07:23:03 AM
#4
I see that this is a few weeks old but I want to bump it up because I would have thought there was a better answer out there.
legendary
Activity: 1400
Merit: 1013
November 08, 2013, 03:00:46 PM
#3
Has there been a public, in-depth, 3rd party review of the standard bitcoin client?  I have experience with software engineering... an industry average is at least 1 bug per 1000 lines of code.  The bugs might be trivial or critical, easy to spot or hard to discern or activate.  I am NOT saying that the people who write bad code, but that programs are written by humans, and even the best of us make mistakes.
Talk to the people at Conformal Systems.

They wrote a reimplementation of the client in another programming language, so had to go through the code with a fine toothed comb to be able to discover and document all its quirks.
legendary
Activity: 2053
Merit: 1356
aka tonikt
November 08, 2013, 02:53:34 PM
#2
So far the only public review you can relay on is that the public has not reported having their money stolen from the standard client, despite of all the incentives behind it.
Only tiny Android wallets were robbed so far, but that's only because Google added "even more bugs" while fixing one in Android's RNG... allegedly - they made a seminar about the details of this incident, but it was only for a high profile scientists Wink

Which doesn't mean stolen coins won't be reported, for the standard client, in a future - just wait... the great new versions are coming, right from Google's best security experts.
I already have my popcorn bought and waiting to be heated Smiley
newbie
Activity: 28
Merit: 0
November 08, 2013, 02:45:47 PM
#1
Has there been a public, in-depth, 3rd party review of the standard bitcoin client?  I have experience with software engineering... an industry average is at least 1 bug per 1000 lines of code.  The bugs might be trivial or critical, easy to spot or hard to discern or activate.  I am NOT saying that the people who write bad code, but that programs are written by humans, and even the best of us make mistakes.

http://mayerdan.com/ruby/2012/11/11/bugs-per-line-of-code-ratio/

http://security.stackexchange.com/questions/21137/average-number-of-exploitable-bugs-per-thousand-lines-of-code

http://www.techrepublic.com/blog/it-security/the-danger-of-complexity-more-code-more-bugs/

Kudos on the protocol fuzzing work that appears to be going on.
Jump to: