From: "Geo." 

BIND and Sendmail are not exactly sufficiently complex apps, heck as far as
internet services go they are amoung the simplest.

BIND is one of my favorite examples for this because if you compare it to
MS DNS server you find that the closed source dns server has had far fewer
exploits over the past 7 years. It's an amazing difference considering both
do the exact same functions.

But that's the point I was making, it doesn't really matter if it's open or
closed source, bugs are bugs and they continue to exist in both. Security
or exploit resistance depends more on the quality of the design and
programmers than on anything else.

Geo.

"Tony Williams"  wrote in message
news:3dea53c1{at}w3.nls.net...
> One time less than the black-hats, obviously  . It's an arms-race and
> I think that realistically there are always going to be holes in a
> sufficiently complex app so the best we can expect is for the holes to
> be plugged rapidly.
>
> BIND and Sendmail do seem to be particularly weak, but maybe that's
> simply because they're under attack the most.
>
> --
> Tony
>
> Geo. wrote:
> > How many times have these guys gone over the code in BIND and Sendmail?
> >
> > Geo.
> >
> > "Tony Williams"  wrote in message
> > news:3de941a6$1{at}w3.nls.net...
> >
> >>Antti Kurenniemi wrote:
> >>
> >>>"Tony Williams"  wrote in message
> >>>news:3de90000$1{at}w3.nls.net...
> >>>
> >>>
> >>>>I chose the words carefully. You have a choice to
trust many people
> >>>>working out in the open and having their efforts
publicly reviewed, or
> >>>>to trust a single source with no third-party
corroboration. Either way
> >>>>you have to trust somebody to not have made a mistake or been
malicious
> >>>>- what's that saying? "Trust, but verify".
Closed source lacks the
> >>>>"verify" portion.
> >>>
> >>>
> >>>That is true to an extent - for a normal average user the
open source
> >
> > lacks
> >
> >>>the "verify" as well (who has the knowledge /
time to go find out if
> >
> > some
> >
> >>>problem has been fixed in all the millions of lines of
code?). So it's
a
> >>>question of who to trust.
> >>>
> >>
> >>Exactly - one vendor who makes claims which can't be independently
> >>verified or a collection of developers who review each others' work in
> >>the open (and who often seem to take great delight in striving to outdo
> >>each other). You might not verify the fix yourself, but you can be sure
> >>that others have done it for you.
> >>
> >>Turn the question on its head: who is it wiser to distrust?
> >>
> >>--
> >>Tony
> >>
> >
> >
> >
>

--- BBBS/NT v4.01 Flag-4