Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Wed, 9 Feb 2000 21:43:58 -0800
As opposed to your faith in Apache, I presume?
Yes.
If NOTES fails IBM takes the blame, if Apache fails who takes the blame? A small cadre of 'open source' devs with little to lose?
They've (Apache developers) been much more responsive and quicker to get bugs fixed. As for the rest of your note, I said nothing about open source in general. I implied that Apache has been well looked-at, and the notes doesn't appear to have, that's all. Apache has security as one of it's goals. I presume the Notes developers do as well. However, to overgeneralize almost as much as you have, big software developers rarely give security as much priority as you seem to indicate. I worked for one of the world's largest software vendors for several years, and security of their products was not a goal, at all. Big is buggy. It doesn't have to be true, but it is. No one said open source is always better (at least not yet, give them a chance). My assessment of how much effort is put into auditing Notes is based on people finding bugs that any sort of sanity check should have caught before it left home. Deal. BB
Code Review is one of the bigger blah blah blah. Oh please. The only thing that matters is how it performs. I have seen 'open source' code that did not work nor would it ever work. Yet it is openly available for code review! Code review does not guarantee anything. Any idiot can read the code, does not meant they can find a bug. The biggest problem with 'open source' software is that there is very little (if any) accountability. 'Code review is not substitute. Who cares if I can see the source code. If you can compile it, you can corrupt it. Yes I know a lot of you will not agree, but then you probably are not 'on the hook' for a companies performance. Blue Boar said: Another indicator for how secure something might be is past bugs: Again the only way to measure security is whether you can break into a system or not. Number of past bugs has no bearing on security. The only thing that matters is whether you can exploit a bug to get into the system. That depends on the current status of the system that you would be attempting to breach. Number of past bugs *might* be an indicator of whether their will be future bugs, then again bugs are a naturally occurring incident. Blue Boar said: These things would *seem* to indicate that IBM/Lotus is still stuck in the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive auditing. How would they seem to indicate anything other than it is software. If you were to apply this statement to Apache then you would have to conclude the same thing. Isn't 'open source' about finding and fixing bugs 'after the fact'. You seemed to labor under the assumption that you can have it both ways; code review for open source to search for bugs, but not for proprietary apps. All the while hailing the find it and fix it mentality as good for 'open source' but not for proprietary. I use IBM tools, work on an AS/400, and deal extensively with IBM. I can say from experience that IBM *DOES* extensive debugging. Why you would make such a ludicrous statement shows an incredible ignorance and arrogance. By the way how do you know they ever coded this way. Blue Boar said: In addition, Notes (the whole collection of things called Notes) is pretty large and complex, and includes it's own databases and access-lists. This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely. So what you are saying is big almost always equals bugs. Then I would have to say that UNIX (and the clones) are full of bugs. *BUT* you said that code review (as most UNIX, Linux go through) is one of the best ways to get rid of bugs. Quite a conundrum wouldn't you say. Does that also mean that 'open sauce' is stuck in the wait-for-bugs-then-fix-them mode. First it is bad then it is good which is it? You also seem to say that a cadre of developers without any contact, coming from disparate points on the globe, all with differing ideas and directions can create a better piece of software than a group of developers working for the same company, with the same agenda, and reliant on that companies success. THAT IS BIZARRE. FOCUS always wins. Blue Boar said: In addition, there's lots of room for misconfiguration. You of course are speaking of 'open source' products like Linux, Apache etc.... Blue Boar said: In short, I think calling Notes "secure" as a blanket statement is at best generous. and I find your rebuttals lacking in any in substance. In conclusion: No software is totally secure. Most apps are at the mercy of users, and other apps, and especially the O/S. One app that is not secure on NT might well be on OS/400 or eS/390 or Solaris etc... Number of bugs indicate little when taken out of context. UNIX for years was riddled with bugs, that does not in and of itself make it insecure. Blanket statements like 'big is buggy', 'open source' is good, are nonsense and are of no use to anyone. If you are unwilling to consider the current situation and how the software will be used within that situation then you will only cause more problems. There is no one best platform, O/S, app. There is a current best for each time and place. That is what has to be considered.
Current thread:
- Re: Notes Domino Server Platform for e-commerce? andrej () KTU EDU (Feb 09)
- <Possible follow-ups>
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Wozz (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Martin Bishop (Feb 10)