"TrustedBSD" addons
Kevin Lyons
kevin_lyons at ofdengineering.com
Tue Jun 29 13:30:37 PDT 2004
Paul Robinson wrote:
> On Tue, Jun 29, 2004 at 01:40:35PM -0500, Kevin Lyons wrote:
>
>
>>Well, point being that more layers/lines of code added, the more
>>potential vulnerabilities.
>
>
> Myth. Which is more vulnerable to attack - the kernel that gets compiled
> when you build GENERIC, or a few lines that strcpy's some input recieved
> over a socket running as root?
>
> LOC is about as effective a measure of potential vulnerabilities as it is a
> measure of how productive a developer is or the quality of the design
> process - i.e. it's useless and the myth has been thrown around for god
> knows how long by people who really should know better.*
>
> Well-written code is well-written, no matter how many lines long it is.
> Ditto for badly-written code. I've seen 20-liners that could be broken by a
> competent 13-year old, and 20,000-liners that were impregnable. I am not
> alone.
Hmmm, sounds like the exception that proves the rule. This is a nice
argument, but with real world large projects, i.e. with all things being
more-or-less equal, more (normal distribution quality i.e. AVG) code is
more potential vulnerabilities. I (and microsoft no doubt) would love
to hear of any proof that contradicts this apparent common sense
construction. Is there an ACM or IEEE article that quantifies this?
>
>>I don't think we can say the FreeBSD or
>>TrustedBSD developers are any more exploit immune than other folks.
>
>
> Based on the number of security announcements over the last 5 years, I could
> argue very convincingly that the FreeBSD and TrustedBSD developers are far
> more exploit immune than the Microsoft OS developers.
>
> Of course, it would be complete bullshit, but that's not the point. :-)
>
>>Not ranting/trolling. Thanks for the info, that is good. As I said, i
>>have not installed/configured it yet. I have been noticing feaping
>>creaturism in freebsd as of late so I was simply concerned about it.
>
>
> "Of late"? You've *JUST* noticed? Wow. :-)
I will rephrase, I noticed enough to finally comment.
>
> * - yes, I know. I expect this now to explode into a silly thread. People
> really should know better.
>
--
Kevin Lyons
OFD Engineering, 950 Threadneedle Suite 250, Houston Texas 77079
Phone: 281-679-9060, ext. 118, E-mail: kevin_lyons at ofdengineering.com
More information about the freebsd-chat
mailing list