Eric Tully writes:
I've heard that argument before (last time I heard it was a problem with a PGP implementation) and I never understand what people are trying to prove when they say it.
Let me simplify. I found it startling that a Redmond-level bug was in a mature open-source project, the result of many years of hard work and evolution, deemed "Ready for the Enterprise." This isn't a slap at Open Source. It's just mild bemusement.
Are you saying that the Open Source model isn't as good as proprietary "we'll-fix-it-if-we-feel-like-it" models? Are you saying that Open Source isn't the promised land like you were... um, promised? Are you saying that Open Source model shouldn't be used for anything that concerns security? I honestly don't know what you're getting at.
Well, let's see. I think Open Source is better than the Closed Source proprietary "It's not a bug, it's a feature" model. I've never been promised anything by Open Source, so it's certainly not the second thing.. While I wouldn't say Open Source should not be used for secure code, there seems to be a bit of overconfidence in this area, particular in the lack of realization that Open Source clones of rock solid pieces of software like PGP and SSH are probably exploitable and buggy when they are first released. But all in all, I think Open Source is an excellent idea, as long as one does not have unrealistic expectations. I wouldn't use Open Source to run an artificial heart, but for most of the things it is used for, it is probably quite satisfactory.
So Open Source is not a perfect solution. In its defense:
- you had the opportunity to hire a team of 50 to examine the code - the solution was made known to you - you can reject this solution and write your own if you prefer
none of which would have been true if this were proprietary code.
Quite true.
There's so many good things about this model - it seems silly to argue that Open Souce doesn't live up to the unrealistic hype that the guys on Slashdot promised you.
I have not been promised anything by the "guys on Slashdot." I simply found the error amusing. Let's not get our blood pressure in an uproar simply because virtually every Linux system in the world was just discovered to have a user readable/writable kernel. It will be fixed, and life will move on. This is a dumb coding error. Not a referendum in the eyes of God on the worthiness of the Open Source movement. Chill. -- Eric Michael Cordian 0+ O:.T:.O:. Mathematical Munitions Division "Do What Thou Wilt Shall Be The Whole Of The Law"