At 11:09 PM 5/7/01 -0400, Jason Roysdon wrote:
>Of course if the source is open, it has more eyes looking at it (than say M$
>software which seems to be having a new security announcement every week
>right now).
>
>--
>Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+
>List email: [EMAIL PROTECTED]
>Homepage: http://jason.artoo.net/
>
>
>
>""Allen May"" wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Being a Libra I have to agree & disagree about open source. Open source
> > also allows the good hackers to find exploits much more easily by reverse
> > engineering the whole process. Open source is very cool for application
> > design but gives too much information to those with more destructive
> > tendencies.
> >
> > Just my re-contribution of 2 cents out of my stockpile I collected ;)
Before we get into holy wars about this, open source is not always the
ultimate end all solution. There is good and bad software out there, and
they can be either open or closed source.
The idea that a million eyes watching it sounds great in theory, but whose
eyes are watching? Are a million monkeys going to be able to setup a
network properly? Or would you trust a small team of CCIEs? Also, most
people do not audit the code, or they fail to do so properly. So, that
million might be cut down a few orders of magnitude.
People sometimes work better when they are being paid and are somewhat held
liable for their work. With open source, it is really a "hey, if it messes
things up, sorry". Closed source is not liable either (they are to a
certain degree though), however, there is less expectation from an open
source product as a closed source. Cisco does not turn around and say
"Hey, I will fix that bug a bit later on, I got other things to do." But
the open source guy can. (Ok, sometimes the commercial guys do say that...
hehe, and you can get commercial support on open source software, but I
think you guys get the idea).
This is not to say all open source is bad, there is some excellent open
source products out there which I would pick over commercial solutions. I
just thing we really should not devolve the entire discussion to open vs
closed. I do not think that is the case.
On the side, when there was a vulnerability in ssh, for some odd reason,
the simple buffer overflow was ALREADY Fixed in ALL commercial
implementations, the only one vulnerable was OpenSSH 2.2.0 and previous
friends or so. Sure the "many eyes" found it, but quite a bit late on a
bit of code which should have been fixed eons ago. Not to say that I would
not use OpenSSH, I think it is great stuff. Just that, sometimes the
commercial implementations are better for some products and part of it is
the fact that they are getting paid and they have a public image to maintain.
Please note I said sometimes. If anything I am more so an open source fan
than most would think. I am really more towards the right solution for the
right job be it open or closed.
-Carroll Kong
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3548&t=3362
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
