From: Peter C. McCluskey (pcm@rahul.net)
Date: Wed Feb 06 2002 - 10:49:24 MST
mail@HarveyNewstrom.com (Harvey Newstrom) writes:
>I agree. But having closed source guarantees that interested parties cannot
>review its security flaws closely. It also prevents the customer from
>verifying security, and they end up having to assume or trust the vendor
>with no evidence of security.
A vendor can offer compelling evidence of security by promising to pay,
say, $100,000 to anyone who demonstrates the existence of a security flaw
in their software. If consumers refused to buy closed-source software that
wasn't backed by such evidence, I suspect it would quickly become obvious
that closed-source software has been insecure because of inadequate
motivation, rather than due to any inherent limitation of the closed-source
approach.
Oddly enough, the only software I'm aware of that is backed by such an
offer is qmail, an open-source program (http://cr.yp.to/qmail/guarantee.html).
Last I checked, the typical Linux distribution installed sendmail rather than
qmail by default. Given sendmail's less than exemplary security record, it is
hard to say that security is a terribly high priority in much of the
open-source world.
-- ------------------------------------------------------------------------------ Peter McCluskey | Free Jon Johansen! http://www.rahul.net/pcm |
This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 13:37:38 MST