[EMAIL PROTECTED] wrote: >fox wrote: >>According to http://openbsd.org/security.html, the >last two releases >>of OpenBSD have had 8 vulnerabilities (and that >includes two that >>apply to both releases - so really 6 for both >releases of OpenBSD). > >What about http://www.securityfocus.com/bid/16375 >and >http://docs.freebsd.org/cgi/mid.cgi?200601251013.k0 >PAD9lO059018 (Fixed in >cvs, but NO patch for 3.8 or 3.7 and NO security >announce - >http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/i >f_bridge.c.diff?r1=1.147&r2=1.148) > >Is there other bugs that haven't made it to the >errate page? Does it matter? (When and if OpenBSD is secure (without disclaimers like "uber-secure", the errata no longer matter from a security standpoint. Methinks that would be the primary advantage of being proactive rather than reactive.
What I find incredible is that that presumably number-literate computer people could imagine that counting security flaws is a measure of anything relevant. People get bills that come in the mail (or whatever). Computing you financial position by counting the number of bill envelopes is mildly indicative but is hardly any basis for any rational comparison. Even adding the numbers is misleading if the currencies differ. The "dumb" user-base is not THAT dumb. Actually there is an objective measure of computer security. That is the going rate for compromised computers. Last I heard, seems it was something like five cents US per compromised computer. After several years of "security is a priority". Surely somebody could do better with extremely bad security.
