From owner-freebsd-questions@FreeBSD.ORG Sun Jun 3 05:59:02 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B31E16A421 for ; Sun, 3 Jun 2007 05:59:02 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from host222.ipowerweb.com (host222.ipowerweb.com [66.235.210.10]) by mx1.freebsd.org (Postfix) with SMTP id 7A78F13C455 for ; Sun, 3 Jun 2007 05:59:02 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: (qmail 14584 invoked from network); 3 Jun 2007 05:55:56 -0000 Received: from unknown (HELO demeter.hydra) (24.9.123.251) by host222.ipowerweb.com with SMTP; 3 Jun 2007 05:55:56 -0000 Received: from demeter.hydra (localhost [127.0.0.1]) by demeter.hydra (8.13.6/8.13.6) with ESMTP id l535x15O063551 for ; Sat, 2 Jun 2007 23:59:01 -0600 (MDT) (envelope-from perrin@apotheon.com) Received: (from ren@localhost) by demeter.hydra (8.13.6/8.13.6/Submit) id l535x03V063550 for freebsd-questions@freebsd.org; Sat, 2 Jun 2007 23:59:00 -0600 (MDT) (envelope-from perrin@apotheon.com) X-Authentication-Warning: demeter.hydra: ren set sender to perrin@apotheon.com using -f Date: Sat, 2 Jun 2007 23:59:00 -0600 From: Chad Perrin To: freebsd-questions@freebsd.org Message-ID: <20070603055900.GC63366@demeter.hydra> Mail-Followup-To: freebsd-questions@freebsd.org References: <4661FAC9.9010806@transpacific.net> <20070602201740.202e768a.wmoran@potentialtech.com> <46621503.5030303@freebsd.org> <20070603043301.28d9bef2@localhost> <933DCFF2293A4ED344379171@paul-schmehls-powerbook59.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <933DCFF2293A4ED344379171@paul-schmehls-powerbook59.local> User-Agent: Mutt/1.4.2.2i Subject: Re: BSD derivatives X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jun 2007 05:59:02 -0000 On Sat, Jun 02, 2007 at 10:10:08PM -0500, Paul Schmehl wrote: > --On June 3, 2007 4:33:01 AM +0200 Jona Joachim wrote: > >> > >>I disagree. I'd say that OpenBSD and FreeBSD put security in exactly > >>the same place -- at the top of the list. > > > >Sorry but I have to disagree here. > >FreeBSD ships with closed source software including following drivers: > >ath, nve, oltr, rr232x, hptmv. > >Closed source software implies potential insecurity. If security is at > >the top of the list then I see a clear contradiction here. > > > Sorry, but that's an incredibly naive statement. *All* software implies > potential insecurity. It's the nature of software. > > If it were untrue, there would be no security patches for open source > software. Discovery of vulnerabilities in need of patching is not the same as an unsecured system. The key to the above statement that closed source software implies a lack of security is that with closed source software there is an unavoidable and necessary assumption that the vendor has your best security interests at heart and will achieve the same security success that you would, in addition to any success it might itself achieve. The facts have shown that not only are proprietary, closed source software vendors prone to ignoring or hiding vulnerabilities dismayingly often rather than fixing them, but they also (even more dismayingly, but hopefully less often) intentionally include functionality that we the end users would consider security vulnerabilities, and pretend such back doors, rootkits, and spyware do not exist. In short -- software is not trustworthy, which is why double-checking it (in the form of peer review and personal source code access) is so important to security. When peer review and personal source code access are not available, your only option is trust, which is a losing proposition by definition when dealing with software. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] print substr("Just another Perl hacker", 0, -2);