The Myth of Open Source Security
Jesse Noller
jnoller at allaire.com
Thu Jun 1 10:30:46 EDT 2000
My issue is two-fold:
Number 1: open Source allows more of a "Hey, you didn't bother to
think ahead and check this yourself, when you could have, therefore, why
bother holding me liable." sort of scenario. This is good in our more and
more litigious society.
Number 2: I do not install anything on a mission critical system i
have not personally reviewed, and checked the track record on. There are
many sites which archive every vulnerability for just about any piece of
software out there. It is the designer's/admin's responsibility to check
these sites for possible vulnerabilities of the software he/she is
installing. To make the excuse "i don't have the time" or "the vendor should
have gave me the patch" is, in and of itself, a denial of responsibility
(What i call the DoR attack, commonly found in extremely large
corporations).
Just my .0002 cents.
-Jesse
> -----Original Message-----
> From: Brian J. Conway [mailto:dogbert at clue4all.net]
> Sent: Thursday, June 01, 2000 8:51 AM
> To: Subba Rao
> Cc: Boston Linux Users
> Subject: Re: The Myth of Open Source Security
>
>
> > For the sake of discussion, here is an interesting article
> on Open source security.
> >
> > http://developer.earthweb.com/journal/techfocus/052600_security.html
>
> While I think the article covers a lot of valid points, the
> open source
> model gives anyone that wants to a chance to look for security
> holes. Even if no one looks at it and something slips
> through, in this
> case, it still is a better model than not being able to see
> the code at
> all and rely on shady developers to fix it for you. Sure
> there will be
> bugs, but at least open source allows for a mechanism of
> finding them and
> fixing them quickly. I'm still wondering why the author of
> the software
> is so concerned with touting all the holes in his program and
> the flaws in
> the open source model than fixing them himself. It would seem rather
> counter-productive.
>
> Brian Conway
> dogbert at clue4all.net
>
>
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).
>
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list