On 2003.05.05 08:34 Dustin Puryear wrote: > > Perhaps. However, I do not think that the average open source software is > any more secure than closed software. There is a [higher potential] for > security, but that doesn't mean that there is a higher level of security > for the average software. >
Ah, I've heard that often lately and I don't buy it. Even one of the authors of fetchmail said it a while back. The only way to make it true is to twist around the definition of "average" and ignore key differences in security models and user choice. When you are honest about the software people use, the potential is often realized. Widely used programs are scrutinized and free code has significantly fewer bugs than it's commercial counterparts. People who define "average" by counting stuff on source forge rather than looking at program deployment are not being very honest. When we are talking about the difference between Windows and free software, architectural differences must be considered. You mentioned not putting X on a web server. That makes sense but it does not make X a bloated buggy thing like windoze, it's just a matter of risk management. You don't need X to run a server, so the additional small risk of using it is not justified in many cases. It's rumored that Microsoft is working on a version of their server that does not have or need a GUI. This is a glaring example of window's lack of modularity causing security problems that don't exist in the free software world. As I mentioned before, free software is not so brain dead as to run email and browser software as root. Both of these differences, user choice and unprivileged users, are barriers to break ins that Microsoft may never erect. At some point it becomes a matter of faith. When I've finished mulling over the past and the above reasoning, the future is still unknown. Because I can't review every line of code I'll ever use at some point I have to trust the authors. I trust free code developers to be honest. Reason, memory and bad faith are all against Microsoft. I'm going to chose software written by people who release it under a license that respects my ability to use the software as I see fit, understand the software, modify the software to meet my particular needs and share those modifications with my friends. This approach is going to work much better for security than a humiliating "submit" button that violates all of the above. People who lack respect for their users must care less about them than those who do respect their users. In the end, I can't see any company being able to compete with free software. Time will tell. Extrapolating from a few DoS venerabilities in one or two projects is more hazardous than extrapolating from Microsoft's record of root expoilts and internet destabalizing worms.
