[thelist] News Item: Major Security Flaw in CVS

shawn allen shawn at alterior.net
Thu Jan 23 14:43:01 CST 2003


quoth James Aylard:
> shawn allen wrote:
> >> Not to start a flame war, I do hope that this brings a bit of
> >> balance to the commercial vs. open source debate.
> >
> > Huh? The CVS developers released a patch on the *day* this was
> > released. When's the last time any commercial vendor released a
> > vulerability patch so quickly?
>
> The developers were given advanced warning by Stefan Esser before he
> released word of the vulnerability publicly. Both Esser and the CVS
> developers acted appropriately. In many cases, when a commercial
> developer is given advanced notice of a security vulnerability in its
> software, that company will also develop a patch prior to public
> notification. But if no advanced notification is given the developer,
> as sometimes happens, then obviously there will be a delay in the
> production of a patch.

Delay in the production of a patch for a serious vulnerability? From
what I gather, this was fixed almost immediately once it had been
divulged to the CVS developers. Try getting that kind of turnaround from
any commercial vendor. Oftentimes, the folks that discover
vulnerabilities in Microsoft software become frustrated with being
unable to contact their developers, and release an exploit as an
*impetus* to have the problem fixed. Typically, open source developers
are easy to reach, more open to feedback, and quicker to respond to
problems.

Better yet, the folks that discover vulnerabilities in open source
software have the opportunity to formulate patches and submit them to
the developers so that they can fix and release them even *more*
quickly.

> > And who's to say that there aren't many more such vulnerabilities in
> > commercial packages that we don't know about?
>
> I don't know? Who? I certainly didn't say that. I only said that I
> hope this brings some balance to the debate.

I still don't see how... Software has bugs. The very nature of open
source software allows people to discover those bugs and vulnerabilities
before exploits are developed, and for the developers to more quickly
release patches. Commercial vendors have to deal with many more hurdles
before they can release patches, and are often compelled to delay those
release so that they can roll as many changes into their updates as
possible (presumably so as not to inconvinience the user with multiple
downloads).

Open source products have a different kind of relationship with their
users, in which it's understood (if not expected) that yes, bugs do
exist, but also that they are more quickly fixed. Updates are
immediately available to the users in the form of full source downloads
or diff patches, allowing users and other interested parties to see
*exactly* what has changed.

We could go on and on debating the various merits of both open source
and commercial software, but when it comes to overall product security
and the speed at which vulnerabilities are repaired, OSS has the
commercial world beat by a long shot. Remote exploits go unfixed for
*months* in the world of big, expensive applications. Rarely (if ever)
is that the case with OSS.

--
shawn allen
  mailto://shawn@alterior.net
  phone://415.577.3961
  http://alterior.net
  aim://shawnpallen




More information about the thelist mailing list