From: Tony Williams 

I reckon anything beyond hello.c is sufficiently complex. Sendmail
implements a Turing-complete scripting language so it's definitely right up
there.

As to their security, I'm inclined to agree with you that they don't have a
good record but that's offset by the speed at which they're fixed. Like I
said, it's an arms race.

--
Tony

Geo. wrote:
> BIND and Sendmail are not exactly sufficiently complex apps, heck as far as
> internet services go they are amoung the simplest.
>
> BIND is one of my favorite examples for this because if you compare it to MS
> DNS server you find that the closed source dns server has had far fewer
> exploits over the past 7 years. It's an amazing difference considering both
> do the exact same functions.
>
> But that's the point I was making, it doesn't really matter if it's open or
> closed source, bugs are bugs and they continue to exist in both. Security or
> exploit resistance depends more on the quality of the design and programmers
> than on anything else.
>
> Geo.
>
> "Tony Williams"  wrote in message
> news:3dea53c1{at}w3.nls.net...
>
>>One time less than the black-hats, obviously  . It's an
arms-race and
>>I think that realistically there are always going to be holes in a
>>sufficiently complex app so the best we can expect is for the holes to
>>be plugged rapidly.
>>
>>BIND and Sendmail do seem to be particularly weak, but maybe that's
>>simply because they're under attack the most.
>>
>>--
>>Tony
>>
>>Geo. wrote:
>>
>>>How many times have these guys gone over the code in BIND and Sendmail?
>>>
>>>Geo.
>>>
>>>"Tony Williams"  wrote in message
>>>news:3de941a6$1{at}w3.nls.net...
>>>
>>>
>>>>Antti Kurenniemi wrote:
>>>>
>>>>
>>>>>"Tony Williams"  wrote
in message
>>>>>news:3de90000$1{at}w3.nls.net...
>>>>>
>>>>>
>>>>>
>>>>>>I chose the words carefully. You have a choice to
trust many people
>>>>>>working out in the open and having their efforts
publicly reviewed, or
>>>>>>to trust a single source with no third-party
corroboration. Either way
>>>>>>you have to trust somebody to not have made a mistake or been
>
> malicious
>
>>>>>>- what's that saying? "Trust, but
verify". Closed source lacks the
>>>>>>"verify" portion.
>>>>>
>>>>>
>>>>>That is true to an extent - for a normal average user
the open source
>>>
>>>lacks
>>>
>>>
>>>>>the "verify" as well (who has the knowledge /
time to go find out if
>>>
>>>some
>>>
>>>
>>>>>problem has been fixed in all the millions of lines of
code?). So it's
>
> a
>
>>>>>question of who to trust.
>>>>>
>>>>
>>>>Exactly - one vendor who makes claims which can't be independently
>>>>verified or a collection of developers who review each
others' work in
>>>>the open (and who often seem to take great delight in
striving to outdo
>>>>each other). You might not verify the fix yourself, but you
can be sure
>>>>that others have done it for you.
>>>>
>>>>Turn the question on its head: who is it wiser to distrust?
>>>>
>>>>--
>>>>Tony
>>>>
>>>
>>>
>>>
>
>

--- BBBS/NT v4.01 Flag-4