On Dec 15, 2021, at 23:51, Brian <theturtl...@gmail.com> wrote:
> One more thought... Samba is Open Source, and I think you could make a case
> that mature, established, widely-used open source software is generally less
> exploitable than widely-used proprietary software of any age. The reason for
> this being the fact that the source code is public.
>
> With public source code in a mature codebase, all the low-hanging fruit has
> been plucked years ago. The first place a would-be exploit creator is going
> to look for vulnerabilities is the source code. Same with security
> researchers. The whole world can clearly see the implementation of the
> software, and so with something as widely deployed as Samba, errors will be
> caught swiftly by anyone from a random software engineer perusing the
> codebase out of curiosity to a security researcher being paid to find
> vulnerabilities in open source software. It follows from the sheer number of
> eyeballs looking at the code.
One would hope. But, take a look at the currently unfolding horror-show with
Log2j. That is a FOSS project, *very* widely deployed by Java shops, and had an
egregious, easily exploitable zero-day flaw (severity level 10 out of 10)
sitting in the open for years, but discovered only a few weeks ago.
(And before you ask: no, Rivendell does not use Java, and is not vulnerable to
the Log2j flaw). :)
Cheers!
|---------------------------------------------------------------------|
| Frederick F. Gleason, Jr. | Chief Developer |
| | Paravel Systems |
|---------------------------------------------------------------------|
| A room without books is like a body without a soul. |
| |
| -- Cicero |
|---------------------------------------------------------------------|
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev