RE: CRIME Study: Open, closed source equally secure

From: Andrew Plato (aplato@private)
Date: Thu Jun 20 2002 - 21:57:43 PDT

  • Next message: Greg KH: "Re: CRIME Study: Open, closed source equally secure"

    > And remember, there's a lot more to security theories than 
    > mathemetical
    > models.  His model does nothing to talk about the time it 
    > takes to _fix_
    > a problem once found.  For that, nothing beats open source 
    > programs, and
    > that has been proven (sorry, can't remember the actual citations, but
    > I'm sure Crispin has them somewhere...)
    
    I'd be interested in seeing a  study like that. I wonder what the mean time between discovery of a problem and a widely acceptable fix being available is for open-source vs. closed source? My intuition tells me that close-source may take longer to acknowledge and come up with a fix, but it can spread that repair out quicker because it has a more organized notification channel. Where as open-source might repair the problem faster, but spreading it out to users would be slower because there is a lack of centralized coordination. I would speculate then, that the same conclusion would result...open and closed source would have about the same real-world response time. 
    
    I could cite an example...when IIS has a bug we hear about it all over the news which would prompt people to get the update. But when a new version of Snort comes out that repairs some bug, people don't know about it until they happen to stop by the Snort site and notice that there has been a version update. 
    
    Andrew Plato 
    



    This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 22:58:27 PDT