Secure Coding mailing list archives

Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories]

From: der Mouse <mouse () Rodents Montreal QC CA>
Date: Wed, 22 Dec 2004 09:09:47 +0000

To have fewer bugs due to an external audit, that external audit
would have to happen, not just be possible.

Not necessarily.  Just the threat of public embarrassment [...] could
cause open source developers to be more disciplined in the first
place.  This hypothesis has been around for quite some time as part
of the "open source is better" hype.

However, it is also unsubstantiated.


I'm also not entirely certain it's as relevant as the discussion makes
it sound.

As someone who insists on source code (not necessarily open source by
any of the various definitions floating around - but if *I* don't have
source, I don't run it), my reasons aren't so much that I think it
likely to be more nearly bug-free as much as that if I suspect a bug, I
can go check, and if I encounter a bug, I can go fix it.

Or at least much more nearly so.  I've run into bugs in gcc that I am
not competent to fix, but I've been able to fix a much higher
proportion of the bugs (and nonbugs that I desire to have changed, such
as feature enhancements) I've run into when I've had source than when I
haven't.

However, until a significant fraction of the market starts making
similar choices, it won't have any significant effect on the mandates
handed from managers to coders - and shops where managers hand out
orders to coders are still where almost all of the code comes from,
whether in terms of number of programs, number of lines, number of
copies run, whatever.  I've seen indications that this is starting to
happen, which I (being a fairly strong source-code bigot) find
encouraging.  But they're still just preliminary rumblings.

I'm not sure whether this list's focus is more "how do we write code
more securely, assuming we have the mandate to do so" or "how do we
cause more of the code written to be more secure" (or perhaps something
else).

/~\ The ASCII    der Mouse
\ / Ribbon Campaign
 X  Against HTML        [EMAIL PROTECTED]
/ \ Email!      7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Current thread:

Re: DJB's students release 44 poorly-worded, overblown advisories, (continued)
- - Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
    - Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
    - Re: Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 22)
  - Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 20)
    - Re: Re: DJB's students release 44 poorly-worded, overblownadvisories Paco Hope (Dec 20)
    - Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
  - Re: DJB's students release 44 poorly-worded, overblown advisories dtalk-ml (Dec 20)
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Shea, Brian A (Dec 20)
  - RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 20)
  - Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Crispin Cowan (Dec 21)
    - Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] der Mouse (Dec 22)
    - Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 22)