[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Good bye



John Summerfield wrote:

Many years ago, RH used to ship CDE, maybe around RHL 4.x.

Unfortunately, CDE had a security problem. CDE is closed software. RH takes security more seriously than its supplier did. RH could not get a fix in a suitable timeframe.

RH immediately withdrew support, suggested people did not use it, and offered paying customers a credit against their next purchase.

RH was a new company then; anyone who's still around from then is likely senior management now.

Whatever their beliefs then, I'm sure that that experienced moved them a a few points towards "open source and only open source."

I think this puts a very unwarranted spin on open vs. closed source software. In fact if you examine what was shipped in RH4.x you'd find glaring security issues in just about _every_ package and the ones that didn't have their own inherited exploitable environment overflows, etc. from the libraries. That wasn't particularly RedHat's fault, it was just that no one expected the bad guys to read the source code before RH shipped a CD that would install on anyone's PC. But fast forward to RH6.x and you'd still find exploited vulnerabilities in bind, sendmail, the ftp programs, smtpd, samba, and so on. You can't make a blanket claim that bugs are going to be fixed just because someone who could fix them has the source. As I recall, the one in smtpd got fixed just about everywhere at the same time, closed and open versions. I haven't followd CDE but I'd assume that if it is still used, its known exploitable bugs have been fixed too, RedHat's grandstanding about the issue while still shipping other bugs notwithstanding.

--
  Les Mikesell
    lesmikesell gamil com



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]