On Thu, 1 Jun 2000, Chen Shapira wrote:
> > For the sake of discussion, here is an interesting article on
> > Open source security.
> >
> > http://developer.earthweb.com/journal/techfocus/052600_security.html
>
> Too bad he doesn't discuss the most important thing: time laps between the
> moment the security problem is found and the moment a fix is released.
> (define these loosly: fixed means a patch apears on redhat site, and found
> means an notification/exploit in rootshell/cern/bugtraq...)
>
> Its 7 days for linux, 2 month for MS and 6 month for Sun, on avrage.
> (ofcourse in the past year only 2 security bugs were found on Sun, numbers
> of linux/ms bugs is closer to 100)
>
> the point I'm making is: if there's a bug no one knows about - the system is
> relativly secure. if the bug is well known and exploits are running
> around... well, Linux sysadmin can spend a week of kernel tinkering trying
> to fix it, MS/Sun sysadmins can just pray and wait for the next service
> pack.
Truth is most ppl don't care enough about security ;-(
Try out OpenBSD <http://openbsd.org/security.html> for size
(they claim Three years without a remote hole in the default install! Two
years without a localhost hole in the default install!)
Of course you pay for it - most SW in the distribution is not the latest
version and has a lot less packages that the FreeBSD(+ports collection)
or (almost?)any Linux distribution
this is as it takes time to audit code ... ;-(
Regards
Rafi
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
