BSD derivatives

Chad Perrin perrin at apotheon.com
Sun Jun 3 05:59:02 UTC 2007 

On Sat, Jun 02, 2007 at 10:10:08PM -0500, Paul Schmehl wrote:
> --On June 3, 2007 4:33:01 AM +0200 Jona Joachim <jaj at hcl-club.lu> wrote:
> >>
> >>I disagree.  I'd say that OpenBSD and FreeBSD put security in exactly
> >>the same place -- at the top of the list.
> >
> >Sorry but I have to disagree here.
> >FreeBSD ships with closed source software including following drivers:
> >ath, nve, oltr, rr232x, hptmv.
> >Closed source software implies potential insecurity. If security is at
> >the top of the list then I see a clear contradiction here.
> >
> Sorry, but that's an incredibly naive statement.  *All* software implies 
> potential insecurity.  It's the nature of software.
> 
> If it were untrue, there would be no security patches for open source 
> software.

Discovery of vulnerabilities in need of patching is not the same as an
unsecured system.

The key to the above statement that closed source software implies a
lack of security is that with closed source software there is an
unavoidable and necessary assumption that the vendor has your best
security interests at heart and will achieve the same security success
that you would, in addition to any success it might itself achieve.

The facts have shown that not only are proprietary, closed source
software vendors prone to ignoring or hiding vulnerabilities dismayingly
often rather than fixing them, but they also (even more dismayingly, but
hopefully less often) intentionally include functionality that we the
end users would consider security vulnerabilities, and pretend such back
doors, rootkits, and spyware do not exist.

In short -- software is not trustworthy, which is why double-checking it
(in the form of peer review and personal source code access) is so
important to security.  When peer review and personal source code access
are not available, your only option is trust, which is a losing
proposition by definition when dealing with software.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
print substr("Just another Perl hacker", 0, -2);

More information about the freebsd-questions mailing list