On Tue, 15 Feb 2005 01:40:25 +0100, Jochem van Dieten <[EMAIL PROTECTED]> wrote: > You mean like the integer overflows that made non priviledge > separated OpenSSH rootable a few years ago. Sure, the patch was > out before the exploit was out. But did anybody take a step back, > said "wow, this is a whole new type of overflow" and then audited > the entire codebase for that type of overflow?
Hey, shit happens and silly bugs get out there in the mainstream. I'm pretty sure that there are still some infected IIS servers spewing out CodeRed probes. Remember the carnage that came from CodeRed? > I seriously doubt that*. Reviewing code is not fun. Reviewing > code for the forth time because there is this whole new type of > overflow that you didn't check for the last 3 times is even less > fun. People are not going to do that when they can also start > coding on cool new feature X. Unless you pay them to review. Indeed. I hate reviewing code. > I'm not buying the many eyes argument. It is just as likely that > the apparent difference in source code quality between open and > closed source code is due to closed source code being more > deadline / shareholder value driven. And that means that open > source does not have a natural advantage, but a temporary > advantage until closed source companies get their priorities > straight. I can relate to that; we have rushed out a version to meet deadlines and satisfy customer demand. The resulting code had some pretty bad fudges with comments like <!--- TODO oh well, this is bad but i'll fix it in 2.5 --->. I just feel that openness of information in general is good. This way you REALLY know what it is going on. For example, a mentally ill person Australian was found, could not tell police who her family was and she reverted to her to mother tongue (German) and was deluded. So the police handed her to immigration who promptly put her in detention until it was discovered who she was, 10 months later. Now this was a massive bungling by several government departments. There is an enquiry into the matter, but it will be a private one with the findings not to be released. The public wants to know how this happened, and who is accountable for it. But that won't happen because the information will only be shared among a few people. Do you see my abstract (but in my mind, valid) analogy? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:194640 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
