From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE,T_DKIMWL_WL_MED autolearn=ham autolearn_force=no version=3.4.1 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id e494be8c for ; Wed, 5 Sep 2018 15:27:33 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id BFCEBA1AFA; Thu, 6 Sep 2018 01:27:32 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id CA820A1A25; Thu, 6 Sep 2018 01:27:09 +1000 (AEST) Authentication-Results: minnie.tuhs.org; dkim=pass (2048-bit key; unprotected) header.d=bsdimp-com.20150623.gappssmtp.com header.i=@bsdimp-com.20150623.gappssmtp.com header.b=DgGFnXrt; dkim-atps=neutral Received: by minnie.tuhs.org (Postfix, from userid 112) id 1261CA1A24; Thu, 6 Sep 2018 01:27:06 +1000 (AEST) Received: from mail-it0-f66.google.com (mail-it0-f66.google.com [209.85.214.66]) by minnie.tuhs.org (Postfix) with ESMTPS id 7A8EFA1A23 for ; Thu, 6 Sep 2018 01:27:05 +1000 (AEST) Received: by mail-it0-f66.google.com with SMTP id h20-v6so9962359itf.2 for ; Wed, 05 Sep 2018 08:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oQ50hiNsXtVLEVAZrG/l/pj8ZH2kCpO3WdhGhtIKYtw=; b=DgGFnXrtJ2/Ow0/cCN7KUT8dSvt7nFGvKQSXHcE2mP5x0ji4/d/7SNWnKa1atVcosa dikyk0k5u3FY4YTDsottgeV1J+gFfmwBZKvMpYrcwLFyWOcrPb179XtEC/wN05HaAon7 12tC+miKrHBef2nTJDd25R28y6XO2w1Lvc9t/dz0ioQlk6YZWpfs862iY8fd9KPfjexf rXjzAziEhlm6u8i3fwvXLcw/LuocaHUckG4if9fVqbdqoVw0abUl73LE0Ij1pBdO1c6B AjXtPIV+DZRmIanGv2iwe9XUWr8rH+CIu66XEo1GglAjkYPIRxqVk8+8K2vsr0W8mWbr c/eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oQ50hiNsXtVLEVAZrG/l/pj8ZH2kCpO3WdhGhtIKYtw=; b=mKfPDlkm4xGzTyXwKrUVRBvCXwXuR1j7l9t2R4IsMX8wDP37BB9GG3VeDwLid4XzWQ jsEH8qPszvRYNkSZfoemc6kWS0O/xb+cW0hjRUAJwmXROncuZ9F4apgkWRhTwyTZdO8G StmLt0D+Hur3Qgnfjda7p+u1esK3HKy4cZvViHH7dHYqrD5JBPDsROa8Dw9EzcoezCwy MVeGuyKTNJ+8DCglRUkKk2xvLR4sd6JBzsKcxTVbNnbGiUyMbJgb8R40jEEwDw2nrzfH LcEjR9JfZ8H3NdA1afvvAL49M4jezbrMm6M3jz9pB5M6okKcyb6cl8cUSULylE6pAvW6 F3UQ== X-Gm-Message-State: APzg51CbSBGZDU1bsh5hT1RkdYY0wdw4ivwFCDUoLO7Db00FpppseqnU /DWosGjs6quu/8EGkVmmzVQdpDk0gUDCVY19ZwZeLoFmfFE= X-Google-Smtp-Source: ANB0VdYppv5hRRVKAktNpFZ7q9wh/ZEX5HfJuXyTWxVNkp8wbtiWazqy4efHL1oFZXMxlWDo19ElQhHqUKb8V8huog4= X-Received: by 2002:a24:c902:: with SMTP id h2-v6mr818256itg.75.1536161224675; Wed, 05 Sep 2018 08:27:04 -0700 (PDT) MIME-Version: 1.0 References: <20180830213407.6DC4718C0A6@mercury.lcs.mit.edu> <20180831213451.r7LAj%ca6c@bitmessage.ch> <20180831215854.GB28971@mcvoy.com> <7ed51612-82d7-90ca-ceaf-37b0c869ff93@kilonet.net> <20180901221933.GA2214@thunk.org> <20180902194301.GA22518@thunk.org> In-Reply-To: From: Warner Losh Date: Wed, 5 Sep 2018 09:26:52 -0600 Message-ID: To: Arthur Krewat Content-Type: multipart/alternative; boundary="0000000000001d6c2f0575216836" Subject: Re: [TUHS] SunOS code? X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: TUHS main list Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --0000000000001d6c2f0575216836 Content-Type: text/plain; charset="UTF-8" On Wed, Sep 5, 2018 at 6:55 AM Arthur Krewat wrote: > > > On 9/5/2018 2:31 AM, Gilles Gravier wrote: > > It's the common example that I use to tell people that opensourcing > > software makes it more secure because the good guys have access to the > > source code at the same time as the bad guys, which gives them a fair > > chance to fix bugs before the bad guys use them. > > > Bash/Shellshock kinda proves that premise incorrect, although it's > pretty much the worst-case example, but still... ;) > I'm not sure it does. It proves that bugs aren't instantly found, true. It doesn't provide perfection, but does make it easier to find / fix bugs before the bad guys. How long would such a bug have languished it if were buried inside of DCL.B32 instead of being out in the open? Warner --0000000000001d6c2f0575216836 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Wed= , Sep 5, 2018 at 6:55 AM Arthur Krewat <krewat@kilonet.net> wrote:


On 9/5/2018 2:31 AM, Gilles Gravier wrote:
> It's the common example that I use to tell people that opensourcin= g
> software makes it more secure because the good guys have access to the=
> source code at the same time as the bad guys, which gives them a fair =
> chance to fix bugs before the bad guys use them.


Bash/Shellshock kinda proves that premise incorrect, although it's
pretty much the worst-case example, but still...=C2=A0 ;)
<= div>
I'm not sure it does. It proves that bugs aren't= instantly found, true. It doesn't provide perfection, but does make it= easier to find / fix bugs before the bad guys. How long would such a bug h= ave languished it if were buried inside of DCL.B32 instead of being out in = the open?

Warner=C2=A0
--0000000000001d6c2f0575216836--