-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
____/ AZ Nomad on Saturday 09 August 2008 22:36 : \____
> http://article.gmane.org/gmane.linux.kernel/706950
>
> <copied>
>
> From: Linus Torvalds <torvalds <at> linux-foundation.org>
> Subject: Re: [stable] Linux 2.6.25.10
> Newsgroups: gmane.linux.kernel
> Date: 2008-07-15 16:13:03 GMT (3 weeks, 4 days, 6 hours and 17 minutes ago)
>
> On Tue, 15 Jul 2008, Linus Torvalds wrote:
> >
> > So as far as I'm concerned, "disclosing" is the fixing of the bug. It's
> > the "look at the source" approach.
>
> Btw, and you may not like this, since you are so focused on security,
> one reason I refuse to bother with the whole security circus is that I
> think it glorifies - and thus encourages - the wrong behavior.
>
> It makes "heroes" out of security people, as if the people who don't
> just fix normal bugs aren't as important.
>
> In fact, all the boring normal bugs are _way_ more important, just
> because there's a lot more of them. I don't think some spectacular
> security hole should be glorified or cared about as being any more
> "special" than a random spectacular crash due to bad locking.
>
> Security people are often the black-and-white kind of people that I
> can't stand. I think the OpenBSD crowd is a bunch of masturbating
> monkeys, in that they make such a big deal about concentrating on
> security to the point where they pretty much admit that nothing else
> matters to them.
>
> To me, security is important. But it's no less important than everything
> *else* that is also important!
>
> Linus
> <copied>
>
> http://www.fortify.com/l/oss/oss_report.html
>
> <copied>
>
> Download the Open Source Security Study Today. Fortify's Open Source
> Security Study reveals that the most widely-used open source software
> packages for the enterprise are exposing users to significant and
> unnecessary business risk. Download this ground-breaking study and learn
> how:
>
> Open Source Software (OSS) development communities have yet to adopt a
> secure development process and often leave dangerous vulnerabilities
> unaddressed Nearly all OSS communities fail to provide users access to
> security expertise to help remediate
FORTIFY-MICROSOFT ALLIANCE
,----[ Quote ]
| Microsoft and Fortify Software are enabling software developers and testers
| to build and deliver more secure applications. Visual Studio 2005 Team
| Edition for Software Testers offers an easy-to-use yet powerful framework for
| testing. Fortify leverages this infrastructure and adds Web application
| security testing capabilities. The combination of the two effectively brings
| basic security testing out of the realm of specialized experts and into the
| hands of software testers. In addition, Fortify provides its award-winning
| source code analysis capabilities to Visual Studio Team Edition for
| Developers so security flaws discovered in development and testing can be
| diagnosed and fixed quickly. Working closely with the Visual Studio team has
| enabled Fortify Software to incorporate its innovative software security
| capabilities within the powerful Visual Studio...
`----
http://www.microsoft.com/windowsserversystem/applicationplatform/launch2005/partners/fortify.mspx
Always follow the money.
Ingres gives Fortify security study a good fisking
,----[ Quote ]
| Her main points:
|
| 1. There are other security toolkits other than Fortify. Just because you
| don’t use their system doesn’t mean you don’t care.
| 2. When reading vendor-sponsored studies consider the source. Always a
| wise move.
| 3. Open source projects in Fortify’s Open Review report fewer defects per
| thousand lines of code than proprietary products in the same review. I
| didn’t know that.
`----
http://blogs.zdnet.com/open-source/?p=2691
- --
~~ Best of wishes
Roy S. Schestowitz | D-I-S-C-O becomes D-I-E S-C-O
http://Schestowitz.com | RHAT Linux | PGP-Key: 0x74572E8E
07:05:01 up 19 days, 17:11, 3 users, load average: 0.40, 0.51, 0.53
http://iuron.com - Open Source knowledge engine project
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkiek4MACgkQU4xAY3RXLo6DzACbBl2SgyzrcTnFUkYZREkAVb8j
jQEAnR7Y2FKSzvAllb68/eUnDHdTfx4x
=whI3
-----END PGP SIGNATURE-----
|
|