[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Neil Williams wrote: > > Now Debian does have bugs that are over 2 years old, some over 5 years > old but these aren't security bugs! Cough - did you check; http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=security Before claiming that? We even have interesting discussions like Debian bug 299007, which is "fixed" in Ubuntu, but they fixed it the wrong way. The correct fix was (obviously?) to remove "/usr/local" from root's path, thus preventing the useful group "staff" being equivalent to user "root". They removed the group staff from writing to "/usr/local" (doh). It is quite clear that enough Debian code hasn't overcome the deficiencies of mimicking Unix, or in some cases coming from Redhat's less desirable security model, that it has plenty to keep the Debian developers too busy to be gloating. I already ranted about the state of computer security over this Windows bug, but I think claiming Debian doesn't have similar issues would be irresponsible. It might have less such issues, and better defences in places, but there isn't a huge amount of clear blue water apparent these days. Did I hear that SELinux won't be the default in Etch? > Windows is poor code because the source code doesn't get put in front > of enough people. Peer review WORKS. Peer review helps. Much code can't be revised to make it substantially more secure. Systems need to be designed (or majorly overhauled) to be secure, and in some ways this is a better strength of public development models than code review. The weakness of ActiveX is not the code, but the concept. Thus it wouldn't matter how many people see the code that implements ActiveX it will still be insecure in certain ways that Java Applets aren't (check Debian bugs against gcjwebplugin for exceptions to the "Java applets are more secure" theory). Although if they pour over the code for all the components they might find a few weaknesses that could be patched (or have their kill bits set). Microsoft Windows has poor code, because people (many of them computer makers) buy it. If the code needed to be better before people would (or could) buy it, the code would be better. You can get secure code without peer review, just Microsoft have little incentive to provide secure code (whatever means they use to achieve it). Is their bad reputation for security hurting their market share significantly?
Attachment:
signature.asc
Description: OpenPGP digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html