Secure Coding mailing list archives
RE: Re: White paper: "Many Eyes" - No Assurance Against Many Spies
From: Jeremy Epstein <jeremy.epstein () webmethods com>
Date: Fri, 30 Apr 2004 00:16:30 +0100
I agree with much of what he says about the potential for infiltration of bad stuff into Linux, but he's comparing apples and oranges. He's comparing a large, complex open source product to a small, simple closed source product. I claim that if you ignore the open/closed part, the difference in trustworthiness comes from the difference between small and large. That is, if security is my concern, I'd choose a small open source product over a large closed source, or a small closed source over a large open source... in either case, there's some hope that there aren't bad things in there. Comparing Linux to his proprietary system is just setting up a strawman..... of course the fact that he's selling something that conveniently replaces the strawman he knocks down is simply a coincidence.... --Jeremy
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 29, 2004 2:32 PM To: Kenneth R. van Wyk Cc: [EMAIL PROTECTED] Subject: [SC-L] Re: White paper: "Many Eyes" - No Assurance Against Many Spies -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kenneth R. van Wyk wrote:FYI, there's a white paper out by Dan O'Dowd of Green HillsSoftware (seehttp://www.ghs.com/linux/manyeyes.html) that "It is trivialto infiltrate theloose association of Linux organizations which havedevelopers all over theworld, especially when these organizations don't even try to prevent infiltration, they accept code from anyone."And he's selling us the solution, how convenient. :\ Hmm. Leaving aside the couple of obvious problems with this essay's arguments, I'll note that some of the author's points are valid. It puzzles me that many otherwise security-conscious people have no qualms downloading and installing whatever they fancy with little thought to the source or the author's motives. It is indeed a pretty loose network which supports much of what we know as GNU/Linux. That is less true of FreeBSD and even less of OpenBSD. - -d - -- David Talkington [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAkUoT5FKhdwBLj4sRAluEAJ4oaUqtTrKPsOpaTiRJ9vycDhlwMACgo6D3 M/i6mUw7n6wm2c64aBIaPwk= =NAeE -----END PGP SIGNATURE-----
Current thread:
- White paper: "Many Eyes" - No Assurance Against Many Spies Kenneth R. van Wyk (Apr 29)
- Re: White paper: "Many Eyes" - No Assurance Against Many Spies dtalk-ml (Apr 29)
- RE: White paper: "Many Eyes" - No Assurance Against Many Spies Dave Paris (Apr 30)
- Re: White paper: "Many Eyes" - No Assurance Against Many Spies der Mouse (Apr 30)
- <Possible follow-ups>
- RE: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Jeremy Epstein (Apr 29)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies James Walden (Apr 30)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Tad Anhalt (Apr 30)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies ljknews (Apr 30)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Glenn and Mary Everhart (May 03)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Crispin Cowan (May 03)
- Re: Re: White paper: "Many Eyes" - No Assurance Against Many Spies Tad Anhalt (May 04)