Hey Martin,
I was reading your note and it is not the reality or something that
should be done but rather another side to consider when working with
software vendors.
I do agree that there is a benefit when the sources are open but
companies like MS(just as an example) do not just vanish.
The above would be said for many other vendors that are committed to the
client to support him.
I took an example and I stick with it:
The sysadmin and IT department needs to consider and evaluate what is
their relationship with the software vendor and decide.
Sometimes they decide to open the source but only in-house due to the
demand but it is still unrelated to "dangerous".
I agree that if we do not trust the vendor to test and patch it's
software then it is a risk and when the sysadmin types "apt-get install
tzdata" then he should understand that it will be updated.. and if not
he(or somebody) can compile and update the tzdata files.
I have seen more then once that an open source distribution did not
updated critical updates and admins was required to run some errands to
make the software work.
I took tzdata package since it was a very major issue on many systems I
have seen.
I still think that an institute small enough to not build it's own OS
can asses it's requirements and decide that for example Debian is not
for them and they prefer a specific vendor.
It's not dangerous and not reckless but a decision which considers what
is good for the institute from couple aspects.
Many admins feels safe enough with Windows and not with Debian.
I have couple servers and desktops and I have seen bugs that was not
fixed in Debian and the effort it will take from me to fix them will be
more then to buy an Hyper-v or Vmware license.
So what if they are the only ones that can patch the software? they meet
the institute global goals with a good price. is it that bad? no!
I remember that some admin I met showed me what he did to disable the
apache server version advertisement.
Will it secure the service against some attacks? no, but F5, RADWARE and
other companies products will indeed do that and in some cases it's
cheaper then patching or upgrading a running system.
So still the argument that it's dangerous is not really an argument.
The state stays exactly the same: there is a risk that needs to be
assessed and evaluated like in any software product and like any other
chair in the planet.
All The Bests,
Eliezer
On 27/09/2015 11:47, Martin Read wrote:
On 27/09/15 08:06, Eliezer Croitoru wrote:
Like any other job the programmers need money and software authors are
not obligated to publish their work to be available to all humanity(or
at-least these parts of humanity that are connected to the WWW).
The above is something I think is right and it is right especially for
security and health related software.
Security-related software is very *precisely* the kind that should not
be closed-source proprietary software, because when your security
software is proprietary, only the copyright holder has the right to
publish and distribute a fix for that piece of software when it turns
out to have a vulnerability.
And, of course, on an Internet-connected computer *most* software turns
out to be security-related.
