On Thu, 5 Aug 2004, Jacob Meuser wrote: > On Thu, Aug 05, 2004 at 02:02:44AM -0700, T. Joseph CARTER wrote: > > On Wed, Aug 04, 2004 at 09:23:15PM -0700, Jacob Meuser wrote: > > > > But where open source is different from proprietary code is that > > > > open source encourages honest people to access source code, and > > > > find security holes and patch them fast. The large open-source > > > > community can find and patch security holes faster than teams of > > > > proprietary developers - even when those developers work for > > > > Microsoft - simply because the proprietary developers are hobbled > > > > by their need to keep secrets. > > > > > > This is horse hockey. Bad code is bad code. Yes, they _can_ find > > > the problems, but all too often it's after an incident. > > > > This is true enough, but it's true for any code. You usually don't know > > it's broken until someone reports the vulnerability. The issue is, what > > is the frequency and severity of these vulnerabilities? What is the > > average time to a workaround? To a proper fix? How often does a proper > > fix actually fix the underlying problem? > > True, but the author was implying that fixes come before incidents.
Sometimes they do. I know of at least one kernel release that was specifically to patch a hole that was discovered. There were no exploits of the hole. OTOH, Microshaft sat on security holes that were reported to them until *after* they were publically announced and exploited. -- Allen Brown work: Agilent Technologies non-work: http://www.peak.org/~abrown/ [EMAIL PROTECTED] [EMAIL PROTECTED] I am not really an actor, I just play one on television. --- A.B. _______________________________________________ EUGLUG mailing list [EMAIL PROTECTED] http://www.euglug.org/mailman/listinfo/euglug
