lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon Sep 19 14:56:54 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: OSS means slower patches

Roman Drahtmueller wrote:

>
>Security vulnerabilities are usually dealt with "best effort" commitment
>on behalf of the vendors. It's going to be your decision as to which
>model you trust more: Simply relying on your vendor's commercial
>commitment, or, in addition to that, benefit from an OSS developer's
>personal motivation to keep and improve his reputation. Keep in mind that 
>with closed source, you can't really tell what has been changed in a fix 
>and that the fix actually addresses the problem.
>
>  
>
Not to mention that something that actually is a function of the Free 
Software/Open Source Software ideologies is a degree of transparency.

If you're measuring "time to disclosure" versus "time to patch" you most 
definitely should expect a difference because people are more likely to 
just disclose vulnerabilities in FS/OSS applications whereas people 
finding flaws in proprietary software tend to keep those flaws to their 
chest for a longer period of time than others - both for legal reasons 
and due to vendor requirements.

In other words, the difference in the development methods inherently 
makes the method of statistical analysis used invalid.

GIGO - Garbage In, Garbage Out... that mantra doesn't just work for 
computers, it works for statistics as well.

             -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ