Rockbox mail archiveSubject: Re: mp3 cutting and pasting
Re: mp3 cutting and pasting
From: Johan Vromans <jvromans_at_squirrel.nl>
Date: Wed, 11 Aug 2004 13:34:56 +0200
Fred Maxwell <rockbox_at_anti-spam.org> writes:
> Malicious code was found in many closed source projects, too, but I
> don't consider the discovery proof that closed source guarantees
> security. What concerns me is that, in both cases I mentioned, the
> malicious code went undetected for extended periods of time.
Yes, one would expect the malicous code to be expected much sooner.
But the bottom line is that the open source model is better than the
closed source model, although it is not perfect either.
> Ken Thomson's conclusion was: "You can't trust code that you did not
> totally create yourself," and that "no amount of source-level
> verification or scrutiny will protect you from using untrusted
> code." That seems to fly in the face of your assertion that having
> the source means that you can trust the code.
Again, I believe in the community. We, the community, wrote the
software, so we can trust it. At the least we can trust it more than
software we didn't write. Again, it may not be a perfect model, I
think it's better.
> What is the risk for a company like ZoneLabs if their firewall was
> found to contain malicious code?
It doesn't have to be malicious. The code can be in error, or just
overlooking certain cases (white-listing versus black-listing).
For a big company (or well-known individual) that has a name (market
share) to loose one would say that there's a big chance they at least
did their very best to prevent this from happening (but still they
won't take _any_ responsibility, read the EULA). On the other hand,
this seems to be contradicted by the experiences with the flaws found
in Windows and Internet Explorer.
The problem is that you just don't know, and have no ways to find out.
> None of the above is meant to imply that closed source is more
> secure than open source or vice-versa.
Very true. But with open source software at least you can do
Received on 2004-08-11