Re: Notes Domino Server Platform for e-commerce?

[sincity_mark () INAME COM (Mark L. Jackson)]

Blue Boar said:
To answer a few specifics:  Notes/Domino has had a web component for like 2
or 3 years, not 10.

The original post did not say anything about NOTES being a 'web server'.
Technically it does the same thing a web server, though.
FYI: The code that NOTES (Domino) uses has been around longer than Apache.

Blue Boar said:
I find your faith ... disturbing.

As opposed to your faith in Apache, I presume? If NOTES fails IBM takes the
blame, if Apache fails who takes the blame? A small cadre of 'open source'
devs with little to lose?

Blue Boar said:
...I agree that code review is one of the bigger factors for how secure
something should be considered. We don't know how much Notes has had, it's
not published.

Code Review is one of the bigger blah blah blah. Oh please. The only thing
that matters is how it performs. I have seen 'open source' code that did not
work nor would it ever work. Yet it is openly available for code review!

Code review does not guarantee anything. Any idiot can read the code, does
not meant they can find a bug.

The biggest problem with 'open source' software is that there is very little
(if any) accountability. 'Code review is not substitute. Who cares if I can
see the source code. If you can compile it, you can corrupt it. Yes I know a
lot of you will not agree, but then you probably are not 'on the hook' for a
companies performance.

Blue Boar said:
Another indicator for how secure something might be is past bugs:

Again the only way to measure security is whether you can break into a
system or not. Number of past bugs has no bearing on security. The only
thing that matters is whether you can exploit a bug to get into the system.
That depends on the current status of the system that you would be
attempting to breach. Number of past bugs *might* be an indicator of whether
their will be future bugs,  then again bugs are a naturally occurring
incident.

Blue Boar said:
These things would *seem* to indicate that IBM/Lotus is still stuck in the
wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive
auditing.

How would they seem to indicate anything other than it is software.

If you were to apply this statement to Apache then you would have to
conclude the same thing. Isn't 'open source' about finding and fixing bugs
'after the fact'. You seemed to labor under the assumption that you can have
it both ways; code review for open source to search for bugs, but not for
proprietary apps. All the while hailing the find it and fix it mentality as
good for 'open source' but not for proprietary.

I use IBM tools, work on an AS/400, and deal extensively with IBM. I can say
from experience that IBM *DOES* extensive debugging. Why you would make such
a ludicrous statement shows an incredible ignorance and arrogance.

By the way how do you know they ever coded this way.

Blue Boar said:
In addition, Notes (the whole collection of things called Notes) is pretty
large and complex, and includes it's own databases and access-lists. This
does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely.

So what you are saying is big almost always equals bugs. Then I would have
to say that UNIX (and the clones) are full of bugs. *BUT* you said that code
review (as most UNIX, Linux go through) is one of the best ways to get rid
of bugs. Quite a conundrum wouldn't you say. Does that also mean that 'open
sauce' is stuck in the wait-for-bugs-then-fix-them mode. First it is bad
then it is good which is it?

You also seem to say that a cadre of developers without any contact, coming
from disparate points on the globe, all with differing ideas and directions
can create a better piece of software than a group of developers working for
the same company, with the same agenda, and reliant on that companies
success. THAT IS BIZARRE. FOCUS always wins.

Blue Boar said:
In addition, there's lots of room for misconfiguration.

You of course are speaking of 'open source' products like Linux, Apache
etc....

Blue Boar said:
In short, I think calling Notes "secure" as a blanket statement is
at best generous.

and I find your rebuttals lacking in any in substance.

In conclusion:
No software is totally secure. Most apps are at the mercy of users, and
other apps, and especially the O/S. One app that is not secure on NT might
well be on OS/400 or eS/390 or Solaris etc... Number of bugs indicate little
when taken out of context. UNIX for years was riddled with bugs, that does
not in and of itself make it insecure.

Blanket statements like 'big is buggy', 'open source' is good, are nonsense
and are of no use to anyone. If you are unwilling to consider the current
situation and how the software will be used within that situation then you
will only cause more problems.

There is no one best platform, O/S, app. There is a current best for each
time and place. That is what has to be considered.