Secure Coding mailing list archives
Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories]
From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Wed, 22 Dec 2004 09:09:47 +0000
To have fewer bugs due to an external audit, that external audit would have to happen, not just be possible.Not necessarily. Just the threat of public embarrassment [...] could cause open source developers to be more disciplined in the first place. This hypothesis has been around for quite some time as part of the "open source is better" hype.
However, it is also unsubstantiated.
I'm also not entirely certain it's as relevant as the discussion makes it sound. As someone who insists on source code (not necessarily open source by any of the various definitions floating around - but if *I* don't have source, I don't run it), my reasons aren't so much that I think it likely to be more nearly bug-free as much as that if I suspect a bug, I can go check, and if I encounter a bug, I can go fix it. Or at least much more nearly so. I've run into bugs in gcc that I am not competent to fix, but I've been able to fix a much higher proportion of the bugs (and nonbugs that I desire to have changed, such as feature enhancements) I've run into when I've had source than when I haven't. However, until a significant fraction of the market starts making similar choices, it won't have any significant effect on the mandates handed from managers to coders - and shops where managers hand out orders to coders are still where almost all of the code comes from, whether in terms of number of programs, number of lines, number of copies run, whatever. I've seen indications that this is starting to happen, which I (being a fairly strong source-code bigot) find encouraging. But they're still just preliminary rumblings. I'm not sure whether this list's focus is more "how do we write code more securely, assuming we have the mandate to do so" or "how do we cause more of the code written to be more secure" (or perhaps something else). /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: DJB's students release 44 poorly-worded, overblown advisories, (continued)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblownadvisories Paco Hope (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories dtalk-ml (Dec 20)
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 20)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Crispin Cowan (Dec 21)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] der Mouse (Dec 22)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 22)