nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RES: Exploits start against flaw that could hamstring huge swaths

From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Tue, 4 Aug 2015 23:21:00 +0200
Den 04/08/2015 19.18 skrev "Christopher Morrow" <morrowc.lists () gmail com>:


On Tue, Aug 4, 2015 at 12:51 PM, Baldur Norddahl
<baldur.norddahl () gmail com> wrote:

On 4 August 2015 at 18:48, Joe Greco <jgreco () ns sol net> wrote:


However, the original point was that switching from BIND to Unbound
or other options is silly, because you're just trading one codebase
for another, and they all have bugs.



It is equally silly to assume that all codebase are the same quality and
have equally many bugs. Maybe we should be looking at the track record

of

those two products and maybe we should let someone do a code review. And
then choose based on that.


because:
  1) historical results matter here? (who looked at which products
over what period of time, with what attention to detail(s) and which
sets of goals?)
  2) the single person doing a code review is likely to see all of the
problems in each of the products selected?



Maybe not but a code review can tell what methods are used to safe guard
against security bugs, the general quality of the code, the level of
automated testing etc. History can give hints to the same. If it had a lot
of bugs discovered it is likely it is not good quality in a security
perspective and more bugs can be expected.

It is called due diligence. The aim is not to find the bugs but to evaluate
the product.

Regards

Baldur
Previous By Date Next
Previous By Thread Next

Current thread: