Full Disclosure mailing list archives
Re: OSS means slower patches
From: Roman Drahtmueller <draht () novell com>
Date: Mon, 19 Sep 2005 15:39:49 +0200 (MEST)
An interesting perspective?Nope.
Oh, I think it is. To some degree, the statements made are plain wrong.
http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html Symantec Australia managing director David Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem. "It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window."
The modern Linux distributor's role is to mediate such gaps, should they actually exist in the first place. It sometimes happens that OSS developers don't care much about journalistic hypes about vulnerabilities that aren't really that high profile as inflated. Common mistakes made in quantitative comparisons of vulnerabilities are * comparisons between apples and oranges * severity rating applied does not correspond to real world, or no severity rating is applied at all. Know that most severe vulnerabilities are being fixed fastest. Security vulnerabilities are usually dealt with "best effort" commitment on behalf of the vendors. It's going to be your decision as to which model you trust more: Simply relying on your vendor's commercial commitment, or, in addition to that, benefit from an OSS developer's personal motivation to keep and improve his reputation. Keep in mind that with closed source, you can't really tell what has been changed in a fix and that the fix actually addresses the problem. My personal understanding (from experience) is that Open Source Software developers take very much pride specifically in the security qualities of their code. The SUSE Security Team's experience in working with vulnerabilities in OSS during the last half dozen years has clearly shown that OSS developers DO care about security. We have also observed a growing awareness for the security properties of the code and an increasing interest in cooperating with security folks on their findings and ideas. so long, Roman. -- - - | Roman Drahtmüller <draht () novell com> // "You don't need eyes to see, | Security Architect Phone: // you need vision!" | Novell - SUSE Linux +49-911-740530 // Maxi Jazz, Faithless | - - _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Roman Drahtmueller (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches security curmudgeon (Sep 19)
- <Possible follow-ups>
- RE: OSS means slower patches Lauro, John (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)