lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon Sep 19 14:40:03 2005
From: draht at novell.com (Roman Drahtmueller)
Subject: OSS means slower patches

> > An interesting perspective?
> 
> Nope.

Oh, I think it is. To some degree, the statements made are plain wrong.

> > http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html
> > 
> > Symantec Australia managing director David Sykes said the increasing
> > popularity of open source software, such as the Mozilla Foundation's
> > Firefox browser, could be part of the reason for the increase in the
> > gap between vulnerability and patch, with the open source development
> > model itself part of the problem. "It is relying on the goodwill and
> > best efforts of many people, and that doesn't have the same commercial
> > imperative," he said. "I'm sure that is part of what is causing the
> > blow-out in the patch window."

The modern Linux distributor's role is to mediate such gaps, should they
actually exist in the first place. It sometimes happens that OSS
developers don't care much about journalistic hypes about vulnerabilities
that aren't really that high profile as inflated. Common mistakes made in
quantitative comparisons of vulnerabilities are

* comparisons between apples and oranges
* severity rating applied does not correspond to real world, or no 
  severity rating is applied at all. Know that most severe 
  vulnerabilities are being fixed fastest.

Security vulnerabilities are usually dealt with "best effort" commitment
on behalf of the vendors. It's going to be your decision as to which
model you trust more: Simply relying on your vendor's commercial
commitment, or, in addition to that, benefit from an OSS developer's
personal motivation to keep and improve his reputation. Keep in mind that 
with closed source, you can't really tell what has been changed in a fix 
and that the fix actually addresses the problem.

My personal understanding (from experience) is that Open Source Software
developers take very much pride specifically in the security qualities of
their code. The SUSE Security Team's experience in working with
vulnerabilities in OSS during the last half dozen years has clearly shown
that OSS developers DO care about security. We have also observed a
growing awareness for the security properties of the code and an
increasing interest in cooperating with security folks on their findings
and ideas.

so long,
Roman.
-- 
 -                                                                      -
| Roman Drahtm?ller   <draht@...ell.com> // "You don't need eyes to see, |
  Security Architect    Phone:          //             you need vision!"
| Novell - SUSE Linux   +49-911-740530 //           Maxi Jazz, Faithless |
 -                                                                      -

Powered by blists - more mailing lists