Security Basics mailing list archives
Re: Why open source software is more secure
From: Chad Perrin <perrin () apotheon com>
Date: Tue, 13 May 2008 13:51:08 -0600
This message contains a digitally signed email which can be read by opening the attachment. Mobile : Email : Web : http://www.sd.zain.com/ -------------------------------------------------------------------------- -------------------------------------------------------------------------- Disclaimer This communication is intended for the above named person and is confidential and / or legally privileged. Any opinion(s) expressed in this communication are not necessarily those of the Zain. If it has come to you in error you must take no action based upon it, nor must you print it, copy it, forward it, or show it to anyone. Please delete and destroy the e-mail and any attachments and inform the sender immediately. Thank you. Zain is not responsible for the political, religious, racial or partisan opinion in any correspondence conducted by its domain users. Therefore, any such opinion expressed, whether explicitly or implicitly, in any said correspondence is not to be interpreted as that of Zain. Zain may monitor all incoming and outgoing e-mails in line with Zain business practice. Although Zain has taken steps to ensure that e-mails and attachments are free from any virus, we advise that, in keeping with best business practice, the recipient must ensure they are actually virus free. "
--- Begin Message --- From: "Chad Perrin" <perrin () apotheon com>
Date: Tue, 13 May 2008 13:09:14 -0600
On Tue, May 13, 2008 at 10:29:54AM -0700, Hayes, Ian wrote:In addition, the recent announcements from Debian and Ubuntu sort of help throw out the idea that open source is inherently "more secure".Really? You think a single anecdotal instance completely invalidates a heuristic measure of security? Have you studied formal logic at all?According to the Debian Security Advisory, a Debian package manager introduced a fault into the OpenSSL package for Debian in 2006 and has persisted until now.This was a failure of communication, not of the open source "security through visibility" model. The increased probability of security in open source development, all else being equal, is a matter of opportunity and tendency -- not of 100% inviolable "always completely secure" status. If someone said that open source softwar was always 100% secure, period, I'd agree that this instance is an effective disputation of that statement. If someone said something reasonable, however, like "open source development models tend toward greater security", I'd have to say that this incident serves to disprove *nothing* in that statement. I wonder how many closed source softwar projects have the same problem (or similar problems), but we don't know about it because they're closed source projects and the only people discovering the problems are users of fuzzing tools and the like. I'll keep wondering, too, because by the very nature of closed source development we have no way to find out. All we know is that the number of people with the ability to go through source code looking for stupidities like this is greatly reduced in equivalent closed source development projects, and that the motivation for security testing dilettantes to find and report problems is greatly reduced with closed source projects as well -- especially in cases where submitting bug reports actually costs money or security researchers are badly treated (or both, as in the case of Microsoft). -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Patrick J. LoPresti: "Emacs has been replaced by a shell script which 1) Generates a syslog message at level LOG_EMERG; 2) reduces the user's disk quota by 100K; and 3) RUNS ED!!!!!!"Attachment: _bin
Description:
--- End Message ---
Current thread:
- RE: Why open source software is more secure, (continued)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Hayes, Ian (May 13)
- Re: Why open source software is more secure Chad Perrin (May 13)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Murda Mcloud (May 09)
- RE: Why open source software is more secure Chuck Taylor (May 09)
- RE: Why open source software is more secure Nick Vaernhoej (May 09)