[WEB4LIB] RE: next big thing (open source problems)

Wed Feb 21 16:54:22 EST 2001

This wasn't an "attack" on Aaron's part, Christopher. I should have only
included Mark Pecault's remarks on "happy perspective" when I mentioned
open source to begin with (oops; can't close a sentence with a
preposition).  My reply made it sound as if I was lumping in Mark's
comments on gloom and doom with his happy perspective comments; I was
hoping to hear what others had to say on open source.  Clear as mud?  Me
too.

We run a bunch of open source software here at our library, I'm interested
in oss, I'm doing a presentation on oss at a regional conference in a
couple of months, and I was just curious to hear what others had to say.

I agree with your comments below.  Eric Raymond writes on p.40 of the
O'Reilly edition of _The Cathedral and the Bazaar_ that "given enough
eyeballs, all bugs are shallow."  Works for me.

John Creech
Electronic Resources & Systems Librarian
Central Washington University
creechj at www.lib.cwu.edu

On Wed, 21 Feb 2001 leblanc at almark.lamar.edu wrote:

> Aaron Dobbs wrote:
> 
> >I suspect open source is not the only source for bugs & complexities.
> >Privacy & security holes are being discovered and exploited more frequently
> >these days and the recend BIND (DNS) discovery will only multiply the
> >problem.
> >
> >The more complex a system the more room for bugs (or undocumented features
> >if you will)
> >
> >I feel the sentiment below is more pragmatic than fatalistic.  Accept that
> >there will be problems and apply the fixes as they are developed.  There
> >will always be something that can be improved.  And there will always be a
> >way for someone to get where they aren't supposed to be.  The biological
> >metaphor really does work for Technology.
> 
> I have to disagree with your basis for your, partial, attack on Open
> Source software.  You assume that since there are security holes and
> bugs in it, that it is less secure than non-Open Source software.  The
> problem is that many security holes in non-Open Source projects are
> often swept under the rug by those who know (the people who make it).
> 
> If you go to security and bug tracking sites, you will find as many
> entries for non-Open Source software as you do for Open Source.  The
> only difference between the two is that Open Source developers want
> their software to be tested and the problems to be found and fixed
> quickly.  Many non-Open Source developers (more importantly their
> companies) do not want problems publicized at all, and work hard to keep
> quite any problems that are found until they can release their next
> version, which you will have to upgrade to because of all of the
> security problems "they have just found."
> 
> I will not go as far as to say that Open Source is any more secure or
> bug free as non-Open Source, but the problems are found quickly, and
> fixes are available quickly.
> 
> As for the BIND (DNS) security problem, the problems that have arisen,
> are already patched, and BIND 8.2.3 is available (note: 8.2.3-beta is
> vulnerable, but the full version is not).  Although the problems
> reported could allow a 'cracker' to gain root (i.e.: super user) access
> to a system, this vulnerability does not mean that Open Source in
> general, or BIND in particular, is in-secure.  The fact that most of
> these vulnerabilities were found in "labs" where technicians, who
> understand code far better than script kiddies or crackers, were able to
> identify the vulnerability and send it on to the ISC so that they may
> update BIND before these vulnerabilities showed up "in the wild."
> 
> It is because the source code is available, that smart programmers,
> commonly calling themselves hackers, are able to identify
> vulnerabilities and fix them, but with a turn-around rate for fixing the
> vulnerability far greater than any major company could accomplish.
> 
> All I am saying, is don't knock Open Source just because.  It is not
> necessarily less secure or introduces more bugs.  More often than not,
> it turns out to be more secure and overall better designed software than
> non-Open Source.
> 
> Thanks,
> 
> Christopher LeBlanc
> Systems Office
> Mary and John Gray Library
> Lamar University
> Beaumont, Texas
> 