As it turns out, developing around the Windows boot process is a huge pain the ass, or as someone else put it, effectively tasks developers with “out-Microsofting” Microsoft. The authors of TrueCrypt were staring down the barrel of having to add support for UEFI Secure Boot and GPT in order to support full disk encryption on Windows 8. Those who refuse to relinquish absolute control die hard, and that’s what happened to TrueCrypt this week. External requirements and change requests present as a nuisance to your carefully harmonized machine, a nuisance that compounds and amplifies.īefore a breaking point is reached, software developers that aspire to fight another day will either learn to play nice with others or pull an old trick whereby responsibility is outright shifted off to new owners. Over time these incremental weights amass to a mountain on your shoulders. When you singularly own code that a lot of people depend on, are too stubborn to share the burden with others, and are so foolishly sentimental and antiquated as to actually care about the quality of what you’ve produced, every line of code is a perpetual, open-ended obligation. Having spent many years as a software engineer authoring and operating components in the scope of large, interconnected applications, I can sympathize completely with the TrueCrypt developers’ assertions of fatigue. And in spite of the apparently deliberate reputational damage committed by the developers, unless and until demonstrated otherwise, TrueCrypt is in fact still secure, and this story is far from over.
But importantly, there is no evidence that these events were motivated by any known security flaw or trust deficiency in TrueCrypt or in its build or distribution process, or by any act of coercion. The way they did it tells of more complex motives, and has supplied ample fuel to the conspiracy theorists of the world.
After 10 years of thankless work developing the open source disk encryption tool, faced with the need to do major extending and refactoring of the codebase to support new technical requirements and demands from security auditors, the anonymous author or authors decided to throw in the towel.
Based on the sum of the evidence that’s now filtered in, and in the consensus view of experts, the primary cause of the TrueCrypt crisis of the last few days was developer fatigue.
0 kommentar(er)
