Good question, and I had to give it some thought to respond appropriately. I guess I myself haven't footed the bill as much as with some other applications. However, whenever a new bug/security hole is found I have to make a choice - apply the patch, or leave my otherwise stable server running with a known issue. Being a tech and programmer, of course I decide to apply the patch. Thus, I have "footed the bill" in a sense with my time to ensure the version I am running is relatively secure.
I would also have to foot the bill in learning enough about Apache to ensure I have set it up in a secure manner. But now that brings in other tools, like OpenSSL. So I have to learn that as well. (Needless to say, I suspect my current Apache instance is not as secure as it could be). So, either I spend the time and energy to focus on security with Apache, or I don't. I balance my decisions with the role of the Apache server in question, my time, and the severity of the issues found. I suspect this is what most techs do with regards to Apache and any other piece of software. On the other hand, I benefit from where other people have "footed the bill" due to the way releases are done, and the open source model in general. People who play with bleeding edge versions of Apache (and other software) find the problems which are usually fixed before an official release is done. This is where open source truly shines compared to the proprietary model. There are more people willing to play with the latest code in open source, because it is available. In the proprietary model, you either need to be an employee, purchase the right to the bleeding edge code, or sign a non-disclosure agreement before you use the package. The costs involved here are usually passed on to the consumers when an official release is done. So, while Apache (and other products) may have a very good security model, we as consumers have still footed the bill in some manner. I admire the organizations - either official or loose grouping of coders - who value security and consider it while writing their application. It makes my life much easier in the long run. When I posted my original comments, I was thinking more about the type of code a consult would write for a client. However, I believe my statement can apply to most other types of code as well. Thanks for the prod Aaron.... :D Shawn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Aaron J. Seigo Sent: Thursday, May 20, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: [clug-talk] Buggy software and usability issues ... <snip> as an end user of Apache, how have you "footed the bill" for it's relatively good security history? (one could replace "Apache" with numerous other bits of software, of course =) </snip> _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
