[Eug-lug] EDITOR'S NOTE:
Allen Brown
abrown at peak.org
Thu Aug 5 20:33:18 PDT 2004
On Thu, 5 Aug 2004, Jacob Meuser wrote:
> On Thu, Aug 05, 2004 at 02:02:44AM -0700, T. Joseph CARTER wrote:
> > On Wed, Aug 04, 2004 at 09:23:15PM -0700, Jacob Meuser wrote:
> > > > But where open source is different from proprietary code is that
> > > > open source encourages honest people to access source code, and
> > > > find security holes and patch them fast. The large open-source
> > > > community can find and patch security holes faster than teams of
> > > > proprietary developers - even when those developers work for
> > > > Microsoft - simply because the proprietary developers are hobbled
> > > > by their need to keep secrets.
> > >
> > > This is horse hockey. Bad code is bad code. Yes, they _can_ find
> > > the problems, but all too often it's after an incident.
> >
> > This is true enough, but it's true for any code. You usually don't know
> > it's broken until someone reports the vulnerability. The issue is, what
> > is the frequency and severity of these vulnerabilities? What is the
> > average time to a workaround? To a proper fix? How often does a proper
> > fix actually fix the underlying problem?
>
> True, but the author was implying that fixes come before incidents.
Sometimes they do. I know of at least one kernel release that was
specifically to patch a hole that was discovered. There were no
exploits of the hole.
OTOH, Microshaft sat on security holes that were reported to them
until *after* they were publically announced and exploited.
--
Allen Brown
work: Agilent Technologies non-work: http://www.peak.org/~abrown/
allen_brown at agilent.com abrown at peak.org
I am not really an actor, I just play one on television. --- A.B.
More information about the EUGLUG
mailing list