Re: tunnel vs open a hole

[Joseph S D Yao <jsdy () center osis gov>]

On Tue, Apr 15, 2003 at 10:06:02AM -0400, Marcus J. Ranum wrote:
> Sloane, David wrote:
> > I was just about to ignore this ever-expanding thread when this post from
> > Mr. Ranum caught my attention.  Every aspect of the problem is addressed by
> > open-source software development.
>
> Spoken like a true believer...
> _BUT_ -- if open source is the solution, why do we still have the problem?
>
> mjr. 

Open source is not the solution, but just another model.  Two big
holes: (a) it is not the only game in town, so people might NOT buy
into it [and all too many don't, for the wrong reasons]; and (b) the
only incentive to "get it right" in the majority of the projects where
the programmers are not paid, is the pride of getting it right.  While
for many this should be enough, there are no funds for educating the
programmers HOW to get it right, and so many holes can be overlooked.
Plus, it depends solely on the project co-ordinator how much effort is
put into reviewing the code for problems BEFORE a release.  Witness the
fact that [after being out there so many years] we are starting to see
such an increase in reported exploitable [not necessarily exploited]
flaws in open-source code.

-- 
Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
OSIS Center Systems Support                                     EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards