Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories]

From: Crispin Cowan <crispin () immunix com>
Date: Wed, 22 Dec 2004 00:36:37 +0000

Shea, Brian A wrote:


Isn't the base problem residing in this essentially flawed statement:

"Widely deployed open source software is commonly believed to contain
fewer security vulnerabilities than similar closed source software due
to the possibility of unrestricted third party source code auditing."

To have fewer bugs due to an external audit, that external audit would
have to happen, not just be possible.  Assuming fewer bugs because an
Audit COULD happen is like saying we're all infected with Bird Flu
because it COULD happen.  
 

Not necessarily. Just the threat of public embarrassment ("lookit the 
crappy code that Jone DOe wrote! <snigger>") could cause open source 
developers to be more disciplined in the first place. This hypothesis 
has been around for quite some time as part of the "open source is 
better" hype.


However, it is also unsubstantiated.

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Previous By Date Next
Previous By Thread Next

Current thread: