[dundee] Taylug Weekly Articles 8 - POMS

[Gary Short]

gordon dunlop wrote:
> The Coverity study has inspected the Linux kernel, applications etc
> and their statistics have been acknowledged in their accuracy. So
> Linux has been thoroughly tested openly and the data being published.
> The only unknown quantities are with Windows systems because they are
> closed and Microsoft will not let anyone do analysis therefore it is
> only guesswork and conjecture on the number of bugs per lines of code
> within their systems. So Microsoft cannot claim it is more secure as
> it is not open for scrutiny and therefore cannot prove it. At least
> open source can say to the users of their software here is the data on
> how buggy our systems are, 

All true, but fairly meaningless when you talk about about software in 
security terms. If one system has 100 bugs, but none of them are 
exploitable in such away that the security of the system can be 
overcome, and another system as just 1 bug, but that bug allows an 
exploit which does overcome the security, then I'd have to say the 
system with 100 bugs is more secure than the one with 1 bug. No? So, as 
I say, until there is an internationally agree measure for security then 
each side can pick the measure that shows them in the best light (in 
this case bugs per 1k of code) and trumpet to the world that theirs is 
the most secure system; whilst another system will choose another 
measure that shows them in the best light and do exactly the same thing, 
and both sides (and their followers) will talk themselves in circles 
without really proving anything.

 > users are being presented with facts and
> not propaganda.

Propaganda comes in many shapes and sizes.

-- 
Cheers,
Gary
http://www.garyshort.org