lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Sep 19 14:51:01 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: OSS means slower patches

Ivan . wrote:

>An interesting perspective?
>
>http://australianit.news.com.au/articles/0,7204,16650762%5E15306%5E%5Enbv%5E,00.html
>
>Symantec Australia managing director David Sykes said the increasing
>popularity of open source software, such as the Mozilla Foundation's
>Firefox browser, could be part of the reason for the increase in the
>gap between vulnerability and patch, with the open source development
>model itself part of the problem. "It is relying on the goodwill and
>best efforts of many people, and that doesn't have the same commercial
>imperative," he said. "I'm sure that is part of what is causing the
>blow-out in the patch window."
>
>  
>
Yet more junk research to muddy the waters...

There's a ton of generalizing being done about things that are very 
difficult to generalize.  It seems to me that what they're doing is 
measuring time to release with Mozilla... which, granted, is a fair way 
to judge things because Mozilla doesn't seem to issue specific patches 
to the greater world except in the form of nightly builds, which are not 
suggested for normal users.  However, to then turn around and tie that 
to the Free Software/Open Source Software methodology is, frankly, 
completely and totally stupid.

Anyone making such a stupid statement should be fired, or at the very 
least bound from making any public statement in the name of the company.

Patch release time in ANY project depends exclusively on the delivery 
methods of the project itself.  Sometimes they come quickly, sometimes 
people are a bit more busy and they come after some time.  Let's not 
forget that there are a number of closed source applications which have 
a history of having very long patch cycles. 

In essence, open source or closed source, what dictates a patch's 
release cycle and timing is the maintainer of the application.  Anyone 
turning around, averaging things, and making general statements beyond 
that is a moron.

                -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ