From: Frank Knobbe (frankknobbe.us)
Date: Wed Jun 09 2004 - 16:22:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2004-06-09 at 16:04, Dave Aitel wrote:
> [...]
> The question now is - is CVS safe to use?
> [...]
> If you're killing bugs as a legitimate effort to make something
> secure, you need to realize that unless you can stand behind your
> releases and say that "this software is now secure" you aren't doing
> anything.

Aw, come on Dave. Be serious now. People find bugs in certain areas of
code and correct them. Can they attest that the rest of the code is
secure? Of course not! Neither can you or any other developer, not even
Microsoft. They can say "it is safe as far as they can tell" but that is
it. I mean, even if e-Matters or whoever does a complete source code
review of CVS, they can only say it's safe as far as they know. It
doesn't mean that other folks might not find bugs anymore when they look
at it. Of course they might find some because they look at code
differently, or just stumble upon something that was simply overlooked.

Making it sounds like they are a complete waste of Internet resources
and scum of the earth is hardly the proper way to encourage code review,
don't you think?

That said, I do share your frustration with advisory pimps that want to
keep the mystique of Internet security alive, donning the cape of a
superhero shrouded in a veil of supreme half-knowledge.

Perhaps I should write my own advisory know listing the bugs e-Matter
and the other folks found. Coming to think of it, perhaps I should
rewrite every advisory that crosses the list... :)

Cheers,
Frank

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBAx3+pJjGc5ftAw8wRAoHqAKDDUykw+MutE6bXNlxIopIbxa8YPwCeNIB5
BJ7AUTHFXGL7y3aPjTWUsko=
=k9oC
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]