[WEB4LIB] RE: next big thing (open source problems)

Dobbs, Aaron DobbsA at apsu.edu
Wed Feb 21 16:44:00 EST 2001


I'm sorry my remarks were taken as an attack on Open Source in general.  
My point was intended to be that *any* software is vulnerable, whether Open
or Closed source.  
(hence my first sentence - "...open source is *not* the "only" source for
bugs..." (emphasis added this time, by me)  
Perhaps I should have continued thusly:  M$ (& other closed source
providers) introduce more than their fair share of bugs, though they tend to
label such as "undocumented features" as a marketing ploy to save face.

The BIND example is still valid.  An example of closed source bug would be
that a service pack was required for M$2K before it had been out a month or
so.  Or, perhaps, the still unreliably patched M$ virus distribution combo,
Outlook with .vbs attachments.  Yes, closed source bugs are more difficult
to deal with.  BIND now seems stable & secure whereas Exchange/Outlook w/vbs
can still "take out" businesses nation/world -wide.  

Any sufficiently advanced program (advanced enough to be used effectively by
the non-coding-inclined) is complex enough to have bugs.  These programs
always will.  Bugs are in the eye of the beholder.  (to some they're protein
to others they're a nuisance)

Oops, I was rambling.  
The main point I was trying to make is this:  
Accept that there will be problems and apply fixes as they are developed.  

-Aaron
:-)'

-----Original Message-----
From: leblanc at almark.lamar.edu [mailto:leblanc at almark.lamar.edu]
Sent: Wednesday, February 21, 2001 3:11 PM
To: Multiple recipients of list
Subject: [WEB4LIB] RE: next big thing (open source problems)


Aaron Dobbs wrote:

>I suspect open source is not the only source for bugs & complexities.
>Privacy & security holes are being discovered and exploited more frequently
>these days and the recend BIND (DNS) discovery will only multiply the
>problem.
>
>The more complex a system the more room for bugs (or undocumented features
>if you will)
>
>I feel the sentiment below is more pragmatic than fatalistic.  Accept that
>there will be problems and apply the fixes as they are developed.  There
>will always be something that can be improved.  And there will always be a
>way for someone to get where they aren't supposed to be.  The biological
>metaphor really does work for Technology.

I have to disagree with your basis for your, partial, attack on Open
Source software.  You assume that since there are security holes and
bugs in it, that it is less secure than non-Open Source software.  The
problem is that many security holes in non-Open Source projects are
often swept under the rug by those who know (the people who make it).

If you go to security and bug tracking sites, you will find as many
entries for non-Open Source software as you do for Open Source.  The
only difference between the two is that Open Source developers want
their software to be tested and the problems to be found and fixed
quickly.  Many non-Open Source developers (more importantly their
companies) do not want problems publicized at all, and work hard to keep
quite any problems that are found until they can release their next
version, which you will have to upgrade to because of all of the
security problems "they have just found."

I will not go as far as to say that Open Source is any more secure or
bug free as non-Open Source, but the problems are found quickly, and
fixes are available quickly.

As for the BIND (DNS) security problem, the problems that have arisen,
are already patched, and BIND 8.2.3 is available (note: 8.2.3-beta is
vulnerable, but the full version is not).  Although the problems
reported could allow a 'cracker' to gain root (i.e.: super user) access
to a system, this vulnerability does not mean that Open Source in
general, or BIND in particular, is in-secure.  The fact that most of
these vulnerabilities were found in "labs" where technicians, who
understand code far better than script kiddies or crackers, were able to
identify the vulnerability and send it on to the ISC so that they may
update BIND before these vulnerabilities showed up "in the wild."

It is because the source code is available, that smart programmers,
commonly calling themselves hackers, are able to identify
vulnerabilities and fix them, but with a turn-around rate for fixing the
vulnerability far greater than any major company could accomplish.

All I am saying, is don't knock Open Source just because.  It is not
necessarily less secure or introduces more bugs.  More often than not,
it turns out to be more secure and overall better designed software than
non-Open Source.

Thanks,

Christopher LeBlanc
Systems Office
Mary and John Gray Library
Lamar University
Beaumont, Texas


More information about the Web4lib mailing list