Mail Archives: cygwin/2003/12/22/20:53:50
On Mon, Dec 22, 2003 at 04:31:57PM -0600, Jim Ramsay wrote:
>Christopher Faylor wrote:
>>Yeah. You're right. It's better to just assume it's gloriously
>>trustworthy if it's free software and maliciously bad if it comes from
>>Microsoft.
>
>I like your sarcasm, but I prefer to assume that the only truly secure
>network is one without computers attached, and the only truly secure
>computer is one with no OS, or no users :)
>
>Sadly both of these are hard to do anything useful with, so in reality
>I believe (in general) it is easier to check the security of an
>open-source product since I can look at the source code and see if
>there are unchecked buffers, backdoors, etc. I am by no means a
>security expert, so I'm sure I'd miss lots of things, but theoretically
>there are lots of other people also checking the same code as me and
>helping make things more secure.
This is a very good point and it is one of the reasons why free software
is so powerful. So, in theory, free software *should* be more secure.
It varies, in practice, however, depending on the project.
Cygwin went many years before anyone cared enough to start looking into
making it more secure. So, theoretically, it did not benefit very much
from all of the theoretical eyes looking at the source code. In fact,
the usual questions to this mailing list on this issue do not evince the
slightest desire to investigate source code. It is refreshing to see
someone approaching things from this angle even if it is unfortunate
that the person had problems (which I can't explain) building cygwin.
--
Please use the resources at cygwin.com rather than sending personal email.
Special for spam email harvesters: send email to aaaspam AT sourceware DOT org
and be permanently blocked from mailing lists at sources.redhat.com
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -