It has been a bit of a strange week.

Last night I released a new version of PuTTY, fixing a scary security hole which has apparently been present since the beginning of recorded history. We received notification of this hole a week ago, and I've been frantically running around trying to clear up the mess ever since.

This is only the second security incident PuTTY has had, and for the first one it was in good company (a rather large range of similar programs had related holes). This is the first time it's been us alone, and nobody's fault but mine.

Of course, everybody makes mistakes, and all programs contain bugs. Mostly you just quietly put out a new release, and anyone who cares about the bugs can upgrade. But when you become a security developer, the deal you accept is that suddenly your bugs are no longer things you can quietly fix without fuss; suddenly a bug can be a seriously big deal, and can affect people even when they haven't noticed anything wrong, and so you have to stand up and announce very loudly that you've been a muppet so people know they need to upgrade. You should not go into this field if public embarrassment is a problem for you.

On the plus side, this sort of thing happens to everybody else in the field as well, and you're more likely to be judged on the efficiency, promptness and honesty with which you deal with it than on the incompetence to let it happen in the first place. And on that basis I reckon we did OK; a response time of one week is quite a bit longer than I'd have liked (a fair amount of the delay was me trying to extract more information from the person who reported the problem, because the initial report was unclear), but is downright whizzy by comparison to a lot of security products.

All of that is the theory, anyway. I've been telling myself all that constantly for the whole of the last week, but it doesn't entirely stop the lingering guilt; the feeling that some number of million users have been depending on that code for years, including almost all my friends in particular, and that I, personally, have let every single one of them down. On Saturday, most of which I spent doing actual fixing, I had a fairly serious guilt trip at lunchtime and almost didn't manage to make it back to the keyboard.

Fortunately, after slogging on with it for a bit, I managed to recover some pride in my work by means of fixing the problems in a robust and sensible ‘now why didn't I think of that before?’ sort of way, and that seemed to get me over the worst of it. And now I've actually put out the fixed release, I mostly feel all right about it. Certainly it's a relief not to have it actually hanging over my head any more.

Apart from that, this week has been pretty good so far. Skipped the usual Pizza Express gathering on Monday because I had arranged to be feeding home-made ad-hoc pizza to lnr, which was great fun (if messy, in a throw-everything-randomly-around-the-kitchen sort of way) and I should make home-made ad-hoc pizza more often. Then Calling yesterday, with the surprising addition of the_alchemist, who it was particularly nice to see.