on Thu, Dec 04, 2003 at 06:21:33PM +0100, Johannes Zarl ([EMAIL PROTECTED]) wrote: Content-Description: signed data > On Thursday 04 December 2003 17:43, Tom wrote: > > On Thu, Dec 04, 2003 at 10:15:12AM -0600, John Hasler wrote: > > > ... That's why the kernel > > > developers thought it was just an ordinary bug: they could see no way > > > to exploit it. > > > > That statement is somewhat disconcerting. The hypothesis is that many > > eyes detect secure bugs, and here is clear case evidence contradicting > > that hypothesis. > > <nitpicking> > Actually, the hypothesis is that many eyes detect severe bugs more likely. > So one severe bug going undetected (or in this case underestimated) > doesn't disprove the hypothesis. > </nitpicking>
It was detected, all right. I just wasn't reported back to Kernel Development as a security bug directly. > > One must assume there are more bugs in this class. > > Definitely. Like in every big software-project one must assume there are > (severe) bugs going undetected. IIRC, it was a prior nonproductive thread with "Tom" which pointed out seeding and metrics as a way of estimating such bug counts. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? The truth behind the H-1B IT indentured servant scam: http://heather.cs.ucdavis.edu/itaa.real.html
pgp00000.pgp
Description: PGP signature
