> And remember, there's a lot more to security theories than > mathemetical > models. His model does nothing to talk about the time it > takes to _fix_ > a problem once found. For that, nothing beats open source > programs, and > that has been proven (sorry, can't remember the actual citations, but > I'm sure Crispin has them somewhere...) I'd be interested in seeing a study like that. I wonder what the mean time between discovery of a problem and a widely acceptable fix being available is for open-source vs. closed source? My intuition tells me that close-source may take longer to acknowledge and come up with a fix, but it can spread that repair out quicker because it has a more organized notification channel. Where as open-source might repair the problem faster, but spreading it out to users would be slower because there is a lack of centralized coordination. I would speculate then, that the same conclusion would result...open and closed source would have about the same real-world response time. I could cite an example...when IIS has a bug we hear about it all over the news which would prompt people to get the update. But when a new version of Snort comes out that repairs some bug, people don't know about it until they happen to stop by the Snort site and notice that there has been a version update. Andrew Plato
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 22:58:27 PDT