On Thu, Jun 20, 2002 at 09:57:43PM -0700, Andrew Plato wrote: > > > > And remember, there's a lot more to security theories than > > mathemetical > > models. His model does nothing to talk about the time it > > takes to _fix_ > > a problem once found. For that, nothing beats open source > > programs, and > > that has been proven (sorry, can't remember the actual citations, but > > I'm sure Crispin has them somewhere...) > > I'd be interested in seeing a study like that. I wonder what the mean > time between discovery of a problem and a widely acceptable fix being > available is for open-source vs. closed source? My intuition tells me > that close-source may take longer to acknowledge and come up with a > fix, but it can spread that repair out quicker because it has a more > organized notification channel. Where as open-source might repair the > problem faster, but spreading it out to users would be slower because > there is a lack of centralized coordination. I would speculate then, > that the same conclusion would result...open and closed source would > have about the same real-world response time. Hah, I see you haven't been continuously getting emails from the last round of viruses that exploit problems in Outlook that have been fixed for over a year :) > I could cite an example...when IIS has a bug we hear about it all over > the news which would prompt people to get the update. But when a new > version of Snort comes out that repairs some bug, people don't know > about it until they happen to stop by the Snort site and notice that > there has been a version update. As a good system admin, I would care more about time from when the problem is found, till when I can have a fix for it. And open source wins that benchmark. Ability to actually force all vulnerable people to use your patch is a totally different problem :) greg k-h
This archive was generated by hypermail 2b30 : Thu Jun 20 2002 - 23:47:31 PDT