Alex Bennee wrote: > Saying things are invulnerable is just asking for a comprimise in the > future.
Well, either you take the challenge or you don't. Asking for compromise doesn't mean anyone will have serious success. Or do you think OpenSSL, OpenSSH, GnuPG for instance are only *pretty* safe because they don't claim to be? IIRC, they do so although giving not any warranty as usual. > The best you can say is we have audited the code for such > failures. Which brings us back to point 1... Sure, as long as this piece of stardust rotates there'll always be something to fix, to enhance etc. pp. Still, inspecting the concerned sources and telling so - "We've investigated and found no vulnerability" would be a good idea, IMHO. It's obvious no human being can give a 100% warranty. It's rather a QA issue. I'm pretty sure a whole lot of projects don't care about such a vulnerability and the Java guys feel safe anyway because they don't have these obnoxious pointers and buffer overfloods either. -- Christian As you can see, this a signature. It's not related to the contents of the mail in any way. But you probably won't listen to me anyway, will you?
pgp00000.pgp
Description: PGP signature
