Full Disclosure mailing list archives
Re: OSS means slower patches
From: bkfsec <bkfsec () sdf lonestar org>
Date: Mon, 19 Sep 2005 09:50:45 -0400
Ivan . wrote:
An interesting perspective? http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html Symantec Australia managing director David Sykes said the increasing popularity of open source software, such as the Mozilla Foundation's Firefox browser, could be part of the reason for the increase in the gap between vulnerability and patch, with the open source development model itself part of the problem. "It is relying on the goodwill and best efforts of many people, and that doesn't have the same commercial imperative," he said. "I'm sure that is part of what is causing the blow-out in the patch window."
Yet more junk research to muddy the waters...There's a ton of generalizing being done about things that are very difficult to generalize. It seems to me that what they're doing is measuring time to release with Mozilla... which, granted, is a fair way to judge things because Mozilla doesn't seem to issue specific patches to the greater world except in the form of nightly builds, which are not suggested for normal users. However, to then turn around and tie that to the Free Software/Open Source Software methodology is, frankly, completely and totally stupid.
Anyone making such a stupid statement should be fired, or at the very least bound from making any public statement in the name of the company.
Patch release time in ANY project depends exclusively on the delivery methods of the project itself. Sometimes they come quickly, sometimes people are a bit more busy and they come after some time. Let's not forget that there are a number of closed source applications which have a history of having very long patch cycles. In essence, open source or closed source, what dictates a patch's release cycle and timing is the maintainer of the application. Anyone turning around, averaging things, and making general statements beyond that is a moron.
-Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches Ivan . (Sep 19)
- Re: OSS means slower patches Roman Drahtmueller (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches bkfsec (Sep 19)
- Re: OSS means slower patches security curmudgeon (Sep 19)
- <Possible follow-ups>
- RE: OSS means slower patches Lauro, John (Sep 19)
- Re: OSS means slower patches Michael Silk (Sep 19)