Spike wrote: > Not to mention the fact that a lot of the exploits that are discovered > in open source software may well have a directly comparable exploit in > closed source software if the mechanism of failure is a non-obvious one > in an otherwise typical code construct.
You mean like the integer overflows that made non priviledge separated OpenSSH rootable a few years ago. Sure, the patch was out before the exploit was out. But did anybody take a step back, said "wow, this is a whole new type of overflow" and then audited the entire codebase for that type of overflow? I seriously doubt that*. Reviewing code is not fun. Reviewing code for the forth time because there is this whole new type of overflow that you didn't check for the last 3 times is even less fun. People are not going to do that when they can also start coding on cool new feature X. Unless you pay them to review. I'm not buying the many eyes argument. It is just as likely that the apparent difference in source code quality between open and closed source code is due to closed source code being more deadline / shareholder value driven. And that means that open source does not have a natural advantage, but a temporary advantage until closed source companies get their priorities straight. Jochem * Except for the OpenBSD team, but they are mostly the OpenSSH team anyway. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194634 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
