Secure Coding mailing list archives
Re: Fwd: I don't beleive open source is always the answer
From: "Joe Teff" <joe () joeteff com>
Date: Fri, 12 Dec 2003 15:27:43 +0000
The argument that bugs are researched and fixed quicker for open source is not completely true. They definitely are if one of the contributors is interested in that specific area. However, there is nothing compelling anyone to fix a specific issue.
There is nothing compelling any software vendor, open source or not.
True. But my experience over the years has been that commercial software is slightly ahead in this area. Not true in many cases, with an emphasis on slightly.
In order to get a fix as soon as possible, you also have to take many other changes that may or may not be complete, safe or tested.
True for any vendor.
I was referring to incremental or daily builds as opposed to milestone or stable builds.
The idea of taking the source and making your own change is also unrealistic. Since this list is all about security, I know everyone here would agree that any such change would require a great deal of testing. You've then just made the solution your own product to support.
Not neccessarily, it depends on the kind of problem. I'd feel fairly comfortable fixing a single instance of an off-by-one problem, and have a high confidence level that it wasn't going to cause major problems. Then I simply switch to the official release when ready, and do away with my band-aid.
If my budget and resources are to support a web application and I make changes to the server (i.e. Tomcat), I now have to support both the web app and the server, but with same budget and resources.
Certainly open source is no worse than closed source, in the general case. Plus, you've got more options with open source, whether you chose to use them or not. And I would tend to think that having the source available for review is much more in line with the charter of this list.
I don't disagree. My earlier response was simply to point out shortcomings that I've experienced. I didn't say never or don't. I just said it's not always the answer. joe teff
Current thread:
- Fwd: I don't beleive open source is always the answer Joe Teff (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer George W. Capehart (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer Martin Stricker (Dec 11)
- Re: Fwd: I don't beleive open source is always the answer der Mouse (Dec 12)
- Message not available
- Re: Fwd: I don't beleive open source is always the answer Joe Teff (Dec 12)
- Re: Fwd: I don't beleive open source is always the answer David M. Wilson (Dec 11)