>>>>> "Bud" == Bud Rogers <[EMAIL PROTECTED]> writes: Bud> I've always taken for granted the idea that open source was Bud> inherently more secure because it's open to peer review. Linus Bud> said "Given enough eyes, all bugs are shallow." But has anyone Bud> ever done a serious study on the subject? I've seen plenty of Bud> emotional arguments and anecdotal evidence, but nothing that I Bud> would consider hard evidence.
I don't have anything solid at the moment, but there are a few (obvious) things that you could do. Bugtraq is a relatively good source of information, if you don't take the numbers for more than they are. For instance, the number of bugs and the time it takes to discover them typically grow exponentially with the complexity of the software (or something like that... that's the subject of another investigation). You also need to consider release philosophies, because they are very important in respect to what gets considered as a real security threat. For instance, most open sourcers release early and often, but have 'stable' realeases that are generally considered production strength. Most closed source entities realease only these 'stable' versions plus bugfix upgrades/service packs. So it's of vital importance that you are certain about what you are comparing; too many comparisons on security don't. I hope you will make your findings publically available, and that I shall have a opportunity to read them. Martin -- GPG public key: http://home1.stofanet.dk/factotum/gpgkey.txt
