[kwlug-disc] given enough eyeballs, all bugs are shallow?
rarsa at yahoo.com
Fri Jan 8 23:10:28 EST 2010
--- On Fri, 1/8/10, Robert P. J. Day <rpjday at crashcourse.ca> wrote:
> i think the defense of OSS as being more
> secure needs more explicit points as to *why* it should be inherently
> more secure.
I think you are shooting a sacred cow.
Not long ago (within last year) I was caught with my pants down when arguing that same point. Of course I could refer to anecdotal "evidence" and statistics. But "anecdotal" does not have much weight and statistics can be presented in many different ways.
I sent an S.O.S to this mailing list for supporting references. It started a good thread but I still received anecdotal and statistical references that could be refuted with other anecdotes and corresponding statistics.
What ended up being clear to me is that "security" has many interpretations starting with:
Is the software secure vs. is the installation secure.
One certainly depends on the code, the other depends mostly on the ability and care of the sysadmin.
I say "mostly" because another measure of security is how secure and sensible are the defaults and how easy it is to modify those defaults.
Ultimately, I came to the obvious realization that proprietary and Open source are concepts, not products. Making blanket generalizations is misleading and arguing to either being more secure is silly.
I think it makes more sense to compare as follows:
Is out of the box apache version xx under Red Hat version xx more secure than IIS version yy under Windows zz?
Is it easier for an administrator to harden X than to harden Y?
We can argue with opinions until we are blue on the face but they will just be opinions.
I'd be very interested to see if you can find really compelling arguments
Software, Hardware and Practices
An eclectic collection of random thoughts
Looking for the perfect gift? Give the gift of Flickr!
More information about the kwlug-disc