Full Disclosure mailing list archives
Re: OSS means slower patches
From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 19 Sep 2005 09:56:32 -0400
Roman Drahtmueller wrote:
Not to mention that something that actually is a function of the Free Software/Open Source Software ideologies is a degree of transparency.Security vulnerabilities are usually dealt with "best effort" commitment on behalf of the vendors. It's going to be your decision as to which model you trust more: Simply relying on your vendor's commercial commitment, or, in addition to that, benefit from an OSS developer'spersonal motivation to keep and improve his reputation. Keep in mind that with closed source, you can't really tell what has been changed in a fix and that the fix actually addresses the problem.
If you're measuring "time to disclosure" versus "time to patch" you most definitely should expect a difference because people are more likely to just disclose vulnerabilities in FS/OSS applications whereas people finding flaws in proprietary software tend to keep those flaws to their chest for a longer period of time than others - both for legal reasons and due to vendor requirements.
In other words, the difference in the development methods inherently makes the method of statistical analysis used invalid.
GIGO - Garbage In, Garbage Out... that mantra doesn't just work for computers, it works for statistics as well.
-Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Roman Drahtmueller (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches security curmudgeon (Sep 19)
- <Possible follow-ups>
- RE: OSS means slower patches Lauro, John (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)