[Sussex] Open Source Is Fertile Ground for Foul Play

[Geoff Teale]

On Thu, 2004-02-12 at 09:34, Paul Turner wrote:
> This article might provoke a few thoughts:
> 
> http://www.devx.com/opensource/Article/20111

Whilst this raises some interesting concerns, it's, frankly old-hat and
the only cases so far have been caught and fixed very quickly (FSF and 
Debian repositories were compromised in one week if you recall, neither
caused major problems for users apart from temporary unavailability of
CVS/Subversion repositories).  

The argument that communities of developers cannot police the code is
reliant on the idea that those development communities are too lazy and
too low-skilled to keep a handle on this stuff.  This is a typical
comment of closed-source companies who still don't believe that software
can be developed and QA'd by people with out carrot and stick
management.  This idea is not born out in reality.  This whole argument
here is just another take on security by obscurity and we all know just
how valid that argument has shown itself to be.

One thing I do know - if a major security flaw was found in a mainstream
open source development, it wouldn't take 7 months for a fix to appear.

Moreover we should give fair note to:

0/
The website you are looking at is a subsidiary of JupiterMedia a
publisher of software development titles focused on .NET and
VisualBasic/Visual C++ application development.  Moreover for income
this company relies almost totally on advertising - and they state in
their corporate information that one of their biggest advertisers is
Microsoft Corporation.

1/
Microsoft friendly publications will be going into overdrive with this
crap for the next few weeks as their "known security flaw took 7 months
to fix" is currently splattered all over the press (anyone see Channel 4
news last night?).

-- 
GJT 
gteale at cmedltd.com 

Cold hands, no gloves.