| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <432EC390.9060808@sdf.lonestar.org>
Date: Mon Sep 19 14:56:54 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: OSS means slower patches
Roman Drahtmueller wrote:
>
>Security vulnerabilities are usually dealt with "best effort" commitment
>on behalf of the vendors. It's going to be your decision as to which
>model you trust more: Simply relying on your vendor's commercial
>commitment, or, in addition to that, benefit from an OSS developer's
>personal motivation to keep and improve his reputation. Keep in mind that
>with closed source, you can't really tell what has been changed in a fix
>and that the fix actually addresses the problem.
>
>
>
Not to mention that something that actually is a function of the Free
Software/Open Source Software ideologies is a degree of transparency.
If you're measuring "time to disclosure" versus "time to patch" you most
definitely should expect a difference because people are more likely to
just disclose vulnerabilities in FS/OSS applications whereas people
finding flaws in proprietary software tend to keep those flaws to their
chest for a longer period of time than others - both for legal reasons
and due to vendor requirements.
In other words, the difference in the development methods inherently
makes the method of statistical analysis used invalid.
GIGO - Garbage In, Garbage Out... that mantra doesn't just work for
computers, it works for statistics as well.
-Barry
Powered by blists - more mailing lists