-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Markus,
Markus Schönhaber wrote: > You defend it yourself in the next paragraph you've written. > >> One could argue that more moving parts equals more complexity, and that >> complexity is an enemy of security (and I agree). However, there must be >> a balance. If good security requires layers, and each layer adds more >> complexity, then there is a paradox. > > Exactly. I believe I raised a question, rather than defending a point. I'm suggesting that things are more complicated than the sound bites that some people like to drop. I would appreciate my FUD to come with a side order of empirical evidence. For instance, if Leon had said "I've had bad security experiences with Apache httpd", well, then at least he would have actually been making a statement. As much as I think that MS IIS is a steaming pile of crap, it is not a foregone conclusion that running MS IIS implies that you will be hacked to bits by tomorrow morning. The same is true with Apache httpd, except that I'm guessing that most members on this list are less likely to jump all over Apache httpd than they are to do so with MS IIS. I would just urge posters to the list to post something more than "product X sucks" or "". I hate having wasted my time to read a message that does not move the dialog forward (not that I'm saying that Leon's message was a waste of time). Let's all endeavor to provide proper context and be precise in what message we are trying to communicate. Leon's message says flat out that adding Apache httpd reduces security, and provides no basis for that statement. A more appropriate statement might have been that Apache does not add any appreciable measure of security as Tomcat provides the same kinds of protections against unauthorized access, etc. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFo/KZ9CaO5/Lv0PARAuWEAJ46lQOQ91ln8VgHBTT42z5RM9HP1ACgg4BO vchsGJ0tN6oSIw7CYq/MoVE= =zkQ5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
