Edit on 2014/04/18: This was actually a real mess. I did figure this out the other day but truth be told the reason it was a real mess is the same reason I’m only getting to update it today: too much going on at this time. To be honest I think that this could be changed significantly and it realistically should be done. Therefore, I’m removing the anger and spite from it (which is an indication of “the too much going on at this time”). While I do think people take things for granted and it annoys me a great deal, I think it detracts from my original point, which is this: no one is perfect and by understanding this you can not only better yourself but you can also better others (and that is why I shared a story where I made a very stupid mistake, hated myself for it but I was offered wisdom and I got over the obstacles). Unfortunately, there was a lot of anger (I’m not sure that is strong enough word even, sadly, and that is how I’ve been feeling overall) and spite thrown in it. Ironically, this pretty much defeated my entire credibility on the subject (being respectful, being understanding of others and others mistakes as well as [your] mistakes). I have now removed the update and the original portion that was bad as well as fixed a couple thoughts. As for the other things, while it had good intentions, it is not the correct approach and it is something I will either write about at some point in the future, or not. I don’t think it matters until then.
This is (or was) primarily to Robin who is the person responsible for the mistake that led to the heartbleed vulnerability. However, realistically it is to every person who makes a mistake (so that includes me, for sure – see above for a rather big example – and every single person on the face of Earth). More than that, it is to those who feel bad on themselves for making a mistake. While I don’t think Robin was feeling bad on himself I can relate the same for a very similar bug in a program I am a programmer for: ultimately memory corruption by way of a miscalculation resulting going out of the bounds of a buffer. It is an insidious type of bug; they are very hard to track down if you end up crashing (which is inevitable for programs that are meant to run 24/7) because the stack is completely trashed and the original instruction (the error) has long since happened. Unfortunately, the same type of bug can both be abused by causing a crash (and therefore potentially running arbitrary code) and by what the heartbleed vulnerability allows: leaking information (interestingly, a core dump that can be created from crashes can ALSO leak information because a core dump represents the process’ memory space at the time of the dump and then think about deliberately causing the program to crash at a specific time where some thing potentially confidential is in memory. This is kind of like RAM scrapers only by causing a program to crash at the right time) that should not be available. For the purpose of the ‘letter’ in question, you can consider ‘Robin’ as ‘you’ or if you prefer (by all means – I fully admit it) you can consider it as ‘Xexyl’. In fact, I think that is quite appropriate. Furthermore, when I write ‘you’ you can consider it yourself, your worst enemy or – more appropriately – me. The bottom line is that no one is perfect and I share some wisdom I was given by a good friend when I needed it. This is one of the – admittedly probably few – times where I am actually trying to give to others I don’t even know (maybe that is even the only time as I am emotionally and socially cold). One could argue this is because by giving this out, I am allowing others to accept that they too are not perfect and that accepting mistakes can only make the world better (which makes me better). Indeed, the cynical me (which is to say, me as I always have been) would believe – no, knows – this to be the case. But still, if it helps anyone, so be it.
When you made the mistake you were being exactly what was expected of you: you were being a human. Humans are imperfect and no one is immune to making mistakes. Further, when you wrote (which I saw first on the BBC) the following:
“It’s tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area,” he told Fairfax Media.
“It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
It somewhat disheartens (in some way or another) me. This is coming from someone who does not really experience what most would call positive emotions or indeed many emotions at all*. Why is it that I feel this way, then? Because, as a fellow programmer, I know all too well how making mistakes of serious consequence can effect your sense of morale. But make no mistake here: you can only learn and better yourself from it.
And as for you trying to contribute to the project: don’t think for a moment that you were trying. No, you WERE DOING which is much better than those who take for granted what OpenSSL provides (and taking that for granted is shameful but an unfortunate reality). The fact you made a mistake? Well, who doesn’t? No programmer has never made serious errors. Even when you are calculating the size of an array (or memory block) to allocate, all it takes is getting distracted for one nanosecond (the phone rings) or being tired (without realising that). I have done exactly this: I calculated an array size, made the other appropriate adjustments, committed the changes to [the] CVS repository and later on I got corrupt coredumps until it was fixed. It was of seemingly random nature (as is expected with buffer overflows). I looked through the diffs of recent revisions and finally I fixed it a fortnight later. It drove me crazy until I got it sorted. What had gone wrong? I remember chatting with someone who was involved in the project (but not by programming) at the time and I told her that I was feeling very sleepy. I then went to rest but the mistake (and not sensing how tired I was) was already made. And yes, this bug was a buffer overflow because I calculated the size incorrectly (meanwhile, I had fixed most if not all bugs in the bug file of said project). But indeed, the fact it drove me mad shows just how much programmers (especially those who program with no pay on free projects, like you and I) CARE about resolving problems and prefer to FIX rather than work-around problems (which only masks something else), sometimes for EVERY WAKING SECOND. This itself is nothing short of commendable and beyond a doubt a very respectable trait! And you should be respected for your contributions! OpenSSL is very important and you should be proud of yourself!
I have some wisdom for you. While I’m only a year or so older than you, I have a good friend from Holland who is something of a mentor to me. He surpasses me on programming and Unix both of which I’m very sufficient with but he is also older than me (he’s in his 40s). I know him by way of that bug I implemented (the buffer overflow one) was in his project. He offered me some advice and I have offered it to others in similar (even if not programming) circumstances (a mistake the person is down or disappointed with themselves or even just wondering how it happened). Now it is your turn. I am omitting parts of the message that are more project specific (which would need more background and is irrelevant to the point; basically he was suggesting he had made far worse mistakes in the past):
Don’t get stressed because you made a mistake. This
In holland we have a saying which, when directly translated, means:
Where there is lumber work, there’s wood chips.
Which means as much as: When you do something, you are bound to make
a mess :)
And what it all boils down to is this, then: you accept that you made a mistake (you already did this) and you address it to the best of your ability (which presumably you did or would have if someone else did not beat you to it) and ultimately you learn which is growth. I suspect highly you also learned from this. That you were able to publicly admit it (let’s neglect the fact revision control systems can show that since most wouldn’t know how if they even had access to the repository) shows a huge amount of integrity and that my fellow programmer, is very respectable. You deserve nothing but praise – your honesty and integrity shines and you contribute to an important project.
Kind regards, and keep up the great work!
(If you excuse the irony: I told you the recipient should be Xexyl but now the sender is Xexyl. Which is it then? Who knows? I would suggest every person knows the truth. For me the truth is: both. As for the keep up the good work to myself? Well, I admit I try not to act like a narcissist but perhaps this time there is some sign of it, even if unintentional. Alternatively, it might just be the unintended irony in the first place or even that by fixing what was a huge rant full of rage, I am now “doing good” and “should keep it up”. Choose your poison, whatever it may be: if you have to poison yourself at least make it somewhat pleasant, right?)
*My point is specifically that I don’t really relate to people very well, if at all. And in addition, I don’t feel many emotions and the emotion I feel is quite negative. I don’t identify with them and this shows itself in various ways. Regardless, what I can relate to is being a programmer and knowing how – at least for the programmers I know – we strive to fix the bugs we implement (this is true: bugs aren’t created by accident – they are implemented) and are not satisfied until the program works properly (and by work I don’t mean seems to work, I mean it truly is properly functioning; indeed, memory corruption – much like, and interestingly enough, faulty RAM – can cause very seemingly random problems at times but at other times things seem OK but in reality things are not OK).