From: Tony Williams 

One time less than the black-hats, obviously  . It's an arms-race
and I think that realistically there are always going to be holes in a
sufficiently complex app so the best we can expect is for the holes to be
plugged rapidly.

BIND and Sendmail do seem to be particularly weak, but maybe that's simply
because they're under attack the most.

--
Tony

Geo. wrote:
> How many times have these guys gone over the code in BIND and Sendmail?
>
> Geo.
>
> "Tony Williams"  wrote in message
> news:3de941a6$1{at}w3.nls.net...
>
>>Antti Kurenniemi wrote:
>>
>>>"Tony Williams"  wrote in message
>>>news:3de90000$1{at}w3.nls.net...
>>>
>>>
>>>>I chose the words carefully. You have a choice to trust many people
>>>>working out in the open and having their efforts publicly
reviewed, or
>>>>to trust a single source with no third-party corroboration.
Either way
>>>>you have to trust somebody to not have made a mistake or
been malicious
>>>>- what's that saying? "Trust, but verify". Closed
source lacks the
>>>>"verify" portion.
>>>
>>>
>>>That is true to an extent - for a normal average user the open source
>
> lacks
>
>>>the "verify" as well (who has the knowledge / time to
go find out if
>
> some
>
>>>problem has been fixed in all the millions of lines of code?). So it's a
>>>question of who to trust.
>>>
>>
>>Exactly - one vendor who makes claims which can't be independently
>>verified or a collection of developers who review each others' work in
>>the open (and who often seem to take great delight in striving to outdo
>>each other). You might not verify the fix yourself, but you can be sure
>>that others have done it for you.
>>
>>Turn the question on its head: who is it wiser to distrust?
>>
>>--
>>Tony
>>
>
>
>

--- BBBS/NT v4.01 Flag-4