John Summerfield wrote:
Many years ago, RH used to ship CDE, maybe around RHL 4.x.
Unfortunately, CDE had a security problem. CDE is closed software. RH
takes security more seriously than its supplier did. RH could not get a
fix in a suitable timeframe.
RH immediately withdrew support, suggested people did not use it, and
offered paying customers a credit against their next purchase.
RH was a new company then; anyone who's still around from then is likely
senior management now.
Whatever their beliefs then, I'm sure that that experienced moved them a
a few points towards "open source and only open source."
I think this puts a very unwarranted spin on open vs. closed source
software. In fact if you examine what was shipped in RH4.x you'd find
glaring security issues in just about _every_ package and the ones that
didn't have their own inherited exploitable environment overflows, etc.
from the libraries. That wasn't particularly RedHat's fault, it was
just that no one expected the bad guys to read the source code before RH
shipped a CD that would install on anyone's PC. But fast forward to
RH6.x and you'd still find exploited vulnerabilities in bind, sendmail,
the ftp programs, smtpd, samba, and so on. You can't make a blanket
claim that bugs are going to be fixed just because someone who could fix
them has the source. As I recall, the one in smtpd got fixed just about
everywhere at the same time, closed and open versions. I haven't
followd CDE but I'd assume that if it is still used, its known
exploitable bugs have been fixed too, RedHat's grandstanding about the
issue while still shipping other bugs notwithstanding.
--
Les Mikesell
lesmikesell@xxxxxxxxx
