Char Jackson wrote:

On Thu, 12 Mar 2015 12:42:42 -0700, T wrote:

On 03/12/2015 12:11 PM, Char Jackson wrote:
On Wed, 11 Mar 2015 12:37:45 -0700, T wrote:

You are deceiving yourself if you think Linux is not more
secure. It is open for anyone to look at. No back doors.
World wide code checkers.

I've heard that repeated many times over the years, and yet there have
been several openSSL issues that have recently come to light, one or
more of which is said to have existed for over a decade. Just because
people *can* check the source doesn't necessarily mean that anyone does.


Hi Char,

Of course. And when they are identified, they are fixed
immediately. That is one of the reasons why Linux is
far more secure (in this instance, a program running on Linux).

Some Windows security issues are also fixed immediately, while others are
rolled out on the normal patch Tuesday and still others take longer. I
don't think the Linux (OSS) community is significantly different.

You are completely missing the point. The Open SSL issues and
the way they were handled is a triumph of how the system works.

Maybe we should just agree to disagree then, because that looks like a
perfect example that disproves the presumption that 'a lot of eyes can
look at the source and therefore it's more secure.'

There is a *HUGE* difference in the way these things
handled by open source and by M$. M$ would have
ignored it until they were embarrassed by it, as in the
blaster virus.

Like the OSS community has been embarrassed by the multiple OpenSSL
vulnerabilities? I think that *HUGE* difference just evaporated.

And yes, there are exceptions.

In both directions. Linux isn't automatically worse in every way.

I wonder if the gcc team has fixed their apis like strlen, and others?
I know that under Visual studio, if you use the old C style primitives, it
flags these as insecure due to the potential for buffer over flows.