[vox] Open Source and Security

Jonathan Stickel vox@lists.lugod.org
Mon, 01 Mar 2004 12:53:28 -0800 

Here is my (naive) view of software security:

1. old software is insecure because un-patched exploits have been 
discovered long ago, but it is so old no one wants to fix it

2. recently released software is mostly secure because easy exploits are 
found quickly and patches are available; less obvious exploits are not 
yet known

3. bleeding edge, pre-released software is insecure because fixes for 
easy exploits are not yet available.

This applies to both proprietary software (PS) and open-source software 
(OSS).  Note that for both PS and OSS, it is the responsibility of the 
end user to keep up-to-date on security vulnerabilities and make the 
appropriate updates.  A decided advantage of OSS is that _anyone_, 
including yourself, can fix security problems, even for case 1.  But 
with PS, you are in the hands of the software vendor.  Also, OSS is 
often more secure to start with because more people can look at the code 
and anticipate problems.

It sounds like the person quoted here falls under case 1, where an old 
version of a RH distro is being used that RH inc no longer supports. 
He/she probably ought to switch linux distributions or purchase RHE.

Jonathan


Byron Roberts wrote:
> Here is an excerpt from a post on the CVBIG list that I belong to:
> 
> [snip]
> 
>>The problems with Linux are that RedHat (our operating 
>>system) no longer supports further updates, the Linux operating system has 
>>three system vulnerabilities, which need to be fixed, and it is open source 
>>(I know I touched on something sacred here, but no programmer likes to redo 
>>old code, especially someone elses, so I'm concerned the security 
>>vulnerabilities will not get fixed).
> 
> [snip]
> 
> I feel like I'm totally missing something here....I thought that one of the big advantages of 
> OSS was increased security, precisely because the code is accessible and able to be 
> modified?  Or as a newbie is there some piece of information that I'm lacking?
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
>