lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon Sep 19 14:40:03 2005 From: draht at novell.com (Roman Drahtmueller) Subject: OSS means slower patches > > An interesting perspective? > > Nope. Oh, I think it is. To some degree, the statements made are plain wrong. > > http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html > > > > Symantec Australia managing director David Sykes said the increasing > > popularity of open source software, such as the Mozilla Foundation's > > Firefox browser, could be part of the reason for the increase in the > > gap between vulnerability and patch, with the open source development > > model itself part of the problem. "It is relying on the goodwill and > > best efforts of many people, and that doesn't have the same commercial > > imperative," he said. "I'm sure that is part of what is causing the > > blow-out in the patch window." The modern Linux distributor's role is to mediate such gaps, should they actually exist in the first place. It sometimes happens that OSS developers don't care much about journalistic hypes about vulnerabilities that aren't really that high profile as inflated. Common mistakes made in quantitative comparisons of vulnerabilities are * comparisons between apples and oranges * severity rating applied does not correspond to real world, or no severity rating is applied at all. Know that most severe vulnerabilities are being fixed fastest. Security vulnerabilities are usually dealt with "best effort" commitment on behalf of the vendors. It's going to be your decision as to which model you trust more: Simply relying on your vendor's commercial commitment, or, in addition to that, benefit from an OSS developer's personal motivation to keep and improve his reputation. Keep in mind that with closed source, you can't really tell what has been changed in a fix and that the fix actually addresses the problem. My personal understanding (from experience) is that Open Source Software developers take very much pride specifically in the security qualities of their code. The SUSE Security Team's experience in working with vulnerabilities in OSS during the last half dozen years has clearly shown that OSS developers DO care about security. We have also observed a growing awareness for the security properties of the code and an increasing interest in cooperating with security folks on their findings and ideas. so long, Roman. -- - - | Roman Drahtm?ller <draht@...ell.com> // "You don't need eyes to see, | Security Architect Phone: // you need vision!" | Novell - SUSE Linux +49-911-740530 // Maxi Jazz, Faithless | - -
Powered by blists - more mailing lists