Lists Home |
Date Index |
On Thu, May 23, 2002 at 02:17:27PM -0700, Dare Obasanjo wrote:
> > Sorry, security is design based, the process of tranforming a
> > product not designed with security in mind by filling up the
> > gaps one by one as they get discovered on the customer
> > deployments is simply a pure (and sad) joke.
> Your comments are particularly interesting especially coming from a
> RedHat employee since the motto of Open Source Software is "Release
> Early, Release Often" while primarily relying on the "Many Eyes" theory.
And this has never replaced security concious design, which is the
very first phase before any code get even produced. The "Many Eyes"
practice is somewhat hopeless on code which wasn't designed with
security in mind, but *at least* if you have the code it is possible
to see if this was the case or not usually ! There are even automated
tools working on the code to produce assertions about possible security
problems. Without code, you just have to believe whoever is shipping the
binary that those steps were done (and it seems they don't make much
economical sense to some software vendors.)
Daniel Veillard | Red Hat Network https://rhn.redhat.com/
firstname.lastname@example.org | libxml GNOME XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/