Good bye

[Les Mikesell]

John Summerfield wrote:
> 
> Many years ago, RH used to ship CDE, maybe around RHL 4.x.
> 
> Unfortunately, CDE had a security problem. CDE is closed software. RH 
> takes security more seriously than its supplier did. RH could not get a 
> fix in a suitable timeframe.
> 
> RH immediately withdrew support, suggested people did not use it, and 
> offered paying customers a credit against their next purchase.
> 
> RH was a new company then; anyone who's still around from then is likely 
> senior management now.
> 
> Whatever their beliefs then, I'm sure that that experienced moved them a 
> a few points towards "open source and only open source."

I think this puts a very unwarranted spin on open vs. closed source 
software.  In fact if you examine what was shipped in RH4.x you'd find 
glaring security issues in just about _every_ package and the ones that 
didn't have their own inherited exploitable environment overflows, etc. 
from the libraries.  That wasn't particularly RedHat's fault, it was 
just that no one expected the bad guys to read the source code before RH 
shipped a CD that would install on anyone's PC.  But fast forward to 
RH6.x and you'd still find exploited vulnerabilities in bind, sendmail, 
the ftp programs, smtpd, samba, and so on.  You can't make a blanket 
claim that bugs are going to be fixed just because someone who could fix 
them has the source.  As I recall, the one in smtpd got fixed just about 
everywhere at the same time, closed and open versions.   I haven't 
followd CDE but I'd assume that if it is still used, its known 
exploitable bugs have been fixed too, RedHat's grandstanding about the 
issue while still shipping other bugs notwithstanding.

-- 
   Les Mikesell
     lesmikesell at gamil.com