[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)
- To: "'Linux-IL'" <linux-il(at-nospam)linux.org.il>
- Subject: RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)
- From: Tzafrir Cohen <tzafrir(at-nospam)technion.ac.il>
- Date: Thu, 30 Aug 2001 09:48:12 +0300 (IDT)
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <000f01c1311a$8d05c1c0$0100a8c0@hagel.co.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
On Thu, 30 Aug 2001, Haim Gelfenbeyn wrote:
>
> I feel that saying that "open souce can be trusted more than closed
> source" is a huge overstatement. There are certain (very few)
> open-source projects (Apache, Linux kernel, etc) which had security
> audits and someone except the author read the sources. However, for
> majority of open-source projects this is not the case. Take a look at
> any linux archive. While there are many quality software there, there
> are also lots of programs written badly, and no one in a clear mind
> should depend on them in any production environment.
>
> For Linux distributions the situation is even worse. More often then not
> you cannot depend on them to update all the packages with all the latest
> security patches. And it takes exactly one exploit to root the
> machine...
>
> So, if you have time and qualification to:
>
> 1. Review and audit the source code on a regular basis.
> 2. Actively look for updates and patches for all software installed.
>
> Then open source is the way to go. But if you don't have time and
> qualification, then closed-source (or open-source but commercial)
> alternative, if maintained and supported properly, can be viable
> soliution.
Reality check: A home or a small business definetly does not have the time
for such audits (ok: most don't have, that is).
It is not so easy to check how effective are proactive security meassures
taken by different distors (if any). However, it is probably less hard to
compare how different distros _react_ to known problems. All major distros
are generally expected to issue update packages. I think that in the list
of 'major distros' I can name Caldera, Connectiva, Debian, Mandrake,
Redhat, SuSE, Slackware and TurboLinux. And there are also
Free/Net/Open-BSD.
Can anybody comment one how well do different distros live up to this
expectation? (no flames, please)
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il