Date: Sat, 2 Jun 2007 23:59:00 -0600 From: Chad Perrin <perrin@apotheon.com> To: freebsd-questions@freebsd.org Subject: Re: BSD derivatives Message-ID: <20070603055900.GC63366@demeter.hydra> In-Reply-To: <933DCFF2293A4ED344379171@paul-schmehls-powerbook59.local> References: <4661FAC9.9010806@transpacific.net> <20070602201740.202e768a.wmoran@potentialtech.com> <46621503.5030303@freebsd.org> <20070603043301.28d9bef2@localhost> <933DCFF2293A4ED344379171@paul-schmehls-powerbook59.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jun 02, 2007 at 10:10:08PM -0500, Paul Schmehl wrote: > --On June 3, 2007 4:33:01 AM +0200 Jona Joachim <jaj@hcl-club.lu> wrote: > >> > >>I disagree. I'd say that OpenBSD and FreeBSD put security in exactly > >>the same place -- at the top of the list. > > > >Sorry but I have to disagree here. > >FreeBSD ships with closed source software including following drivers: > >ath, nve, oltr, rr232x, hptmv. > >Closed source software implies potential insecurity. If security is at > >the top of the list then I see a clear contradiction here. > > > Sorry, but that's an incredibly naive statement. *All* software implies > potential insecurity. It's the nature of software. > > If it were untrue, there would be no security patches for open source > software. Discovery of vulnerabilities in need of patching is not the same as an unsecured system. The key to the above statement that closed source software implies a lack of security is that with closed source software there is an unavoidable and necessary assumption that the vendor has your best security interests at heart and will achieve the same security success that you would, in addition to any success it might itself achieve. The facts have shown that not only are proprietary, closed source software vendors prone to ignoring or hiding vulnerabilities dismayingly often rather than fixing them, but they also (even more dismayingly, but hopefully less often) intentionally include functionality that we the end users would consider security vulnerabilities, and pretend such back doors, rootkits, and spyware do not exist. In short -- software is not trustworthy, which is why double-checking it (in the form of peer review and personal source code access) is so important to security. When peer review and personal source code access are not available, your only option is trust, which is a losing proposition by definition when dealing with software. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] print substr("Just another Perl hacker", 0, -2);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070603055900.GC63366>