Secure Coding mailing list archives

Re: Fwd: I don't beleive open source is always the answer

From: "Joe Teff" <joe () joeteff com>
Date: Fri, 12 Dec 2003 15:27:43 +0000

The argument that bugs are researched and fixed quicker for open
source is not completely true. They definitely are if one of the
contributors is interested in that specific area. However, there
is nothing compelling anyone to fix a specific issue.

There is nothing compelling any software vendor, open source or not.


True. But my experience over the years has been that commercial software 
is slightly ahead in this area. Not true in many cases, with an emphasis
on slightly.

In order to get a fix as soon as possible, you also have to take
many other changes that may or may not be complete, safe or tested.

True for any vendor.


I was referring to incremental or daily builds as opposed to milestone or 
stable builds.

The idea of taking the source and making your own change is also 
unrealistic. Since this list is all about security, I know
everyone here would agree that any such change would require a
great deal of testing. You've then just made the solution your
own product to support.

Not neccessarily, it depends on the kind of problem. I'd feel
fairly comfortable fixing a single instance of an off-by-one
problem, and have a high confidence level that it wasn't going
to cause major problems. Then I simply switch to the official
release when ready, and do away with my band-aid.


If my budget and resources are to support a web application and
I make changes to the server (i.e. Tomcat), I now have to support
both the web app and the server, but with same budget and resources.

Certainly open source is no worse than closed source, in the
general case. 
Plus, you've got more options with open source, whether you chose
to use them or not. And I would tend to think that having the
source available for review is much more in line with the charter
of this list.


I don't disagree. My earlier response was simply to point out 
shortcomings that I've experienced. I didn't say never or don't. I
just said it's not always the answer.

joe teff

Current thread:

Fwd: I don't beleive open source is always the answer Joe Teff (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)
  - Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer George W. Capehart (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Martin Stricker (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer der Mouse (Dec 12)
- Message not available
  - Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)