To me this is a prime example of why open source just doesn't work.

http://news.com.com/2100-1009-990802.html

"You have to understand that this is a very arcane security issue," he said. "It has been present in Sendmail code for 15 years and that code has been through multiple inspections."

The only real advantage people can claim about open source is that it gives millions of people the chance to look at the code and turn it inside out but this bug apparantly escaped everyone's attention for 15 years.
It's probably been reused in part a hundred times into applications where people don't even know it's based on the sendmail source and where either the customers or even the author won't be aware of the security flaw.

I always knew about that and I just don't care. Reason: I don't use sendmail.

Originally posted by Daniel
I always knew about that and I just don't care. Reason: I don't use sendmail. 50-65% of all mail servers do apparantly though... should be fun if someone decides to test it

The only real advantage people can claim about open source is that it gives millions of people the chance to look at the code and turn it inside out

Give me a real disadvantage. This is one peice of software, if people were stupid enough not to find this bug that's their problem. Give me a _real_ disadvantage against open source.

Originally posted by notnamed
Give me a real disadvantage. This is one peice of software, if people were stupid enough not to find this bug that's their problem. Give me a _real_ disadvantage against open source. 50-65% of all the mail servers has a bug now that was discovered in one piece of code which others have reused countless times. Each software packet that is based on sendmail will have to be patched and whether or not it will get patched in the first place depends on if the developer will hear/read about it some place since he/she was just being lazy and copy/pasted someone's else code without bothering to write his/her own.

If it had been closed source then just one program would have had that particular bug and just checking that company's website regularly would have made you aware of a security flaw so you can download the patch and be happy.

Open source also tends to abandon older versions... if a flaw is discovered in one version it doesn't get fixed. The next version just won't have it anymore.
If that seems normal to you then compare it to Microsoft telling you: "oh yes we know about a flaw in Windows 98 but we really can't be bothered to fix it. Just update to Windows XP, it won't have the flaw. And no we don't care if you like the older windows better. It's update or live with buggy software".

50-65% of all the mail servers has a bug now that was discovered in one piece of code which others have reused countless times. Each software packet that is based on sendmail will have to be patched and whether or not it will get patched in the first place depends on if the developer will hear/read about it some place since he/she was just being lazy and copy/pasted someone's else code without bothering to write his/her own.

sendmail developers != all open source developers. The devs of sendmail could be really, really stupid, but that shouldn't echo off all other open source devs.


Open source also tends to abandon older versions... if a flaw is discovered in one version it doesn't get fixed. The next version just won't have it anymore.

And that's..........bad?



If that seems normal to you then compare it to Microsoft telling you: "oh yes we know about a flaw in Windows 98 but we really can't be bothered to fix it. Just update to Windows XP, it won't have the flaw. And no we don't care if you like the older windows better. It's update or live with buggy software".

Uh yeah, they do say that. Since when have older versions of Windows been properly updated? Windows 95, etc...

Originally posted by notnamed
sendmail developers != all open source developers. The devs of sendmail could be really, really stupid, but that shouldn't echo off all other open source devs.The supposed "joy" of open source is that the original development team doesn't have to be perfect but that since the source is widely available anything they miss would be picked up by the thousands of eager people that go over the code one by one.
If you don't consider that true for open source code then the only reason left for it is plain laziness or incompetence to write code to do something by yourself.


And that's..........bad?I'll take PHP as an example. I've never seen them say: "we found a security hole, download this patch to fix it" but instead it's always: "we found a security hole, upgrade to the latest version if it's something you can't live with".
I picked PHP because the features from release to release can differ a lot. Default settings suddenly get changed from disable to enabled, different packages become part of the main PHP binary, some variable name becomes deprecated etc.
If your old version works but the new one doesn't then what are you going to do? Spend hours fiddling with textfile configurations or track through your scripts knowing they could have just provided a fix but couldn't be bothered?


Uh yeah, they do say that. Since when have older versions of Windows been properly updated? Windows 95, etc...Windows 95's lifecycle has ended and after 8 years I don't mind at all. Each OS/product will continue to be supported during it's active lifecycle (http://www.microsoft.com/lifecycle). It's normal for a commercial product to be fixed even though a newer version is available. I don't see why the same shouldn't be true for open source projects.

I'll admit, each side has its advantages and disadvantages. Open source software may promote laziness like CareBear said, but when people like Linus Torvalds come around and do the absolute best they can, a sort of revolution occurs, making new standards in stability and security alike. But then there's the corporate enviornment, these "corporate assholes" are paid to do the best they can, so morale may be higher than if someone is not paid to develop something (which is usually the case with open-source), though earlier versions of Microsoft Windows lack the quality you would expect from a corporate environment like Sun Microsystems.

Just My $0.02 :)

Lets see open source does/can promote lazyness in programing. But if you look at closed source you have the same thing. Tell me how easy is it to do a buffer over flow to Internet Explore compared to Netscape. Same with operating systems. Yes so far Windows XP has been the most stable windows yet, but Linux has been stable since its release.

You go on and on for different things. There has been many agruements for both sides, but for the most part open source has won the majority of them.

Originally posted by jurupa
Tell me how easy is it to do a buffer over flow to Internet Explore compared to Netscape. Same with operating systems. Yes so far Windows XP has been the most stable windows yet, but Linux has been stable since its release.This is the last thing I'll add to his thread but a piece of software that 85-90% of all people use is bound to break more then something just 5-10% uses. I don't know how easy/hard it is to exploit a buffer overflow in IE, it's a tool for surfing the web. As long as it can do that without crashing I'm a happy bear. :)
I can count the number of times IE has crashed over all the years on my 10 fingers.. I could do the same for Netscape except I'd need to add 2 or 3 zero's behind the first digit.
Same with OS's... how many people run Linux full time for personal use compared to Windows? Linux boxes running servers don't count. If you leave a computer alone and only interact with it over the network it'll pretty much stay running indefinitly, doesn't matter if it's Linux or Windows.
Also the number of bug fixes and patches for security exploits is about the same for both Windows and Linux.

I can count the number of times IE has crashed over all the years on my 10 fingers.. I could do the same for Netscape except I'd need to add 2 or 3 zero's behind the first digit.

I'd have to do the same that you do for Netscape for IE, but it's probably because when I most used IE was when IE5.5 was out and I was still running Windows 95 on a Pentium I 200MHz machine :wink2:


Same with OS's... how many people run Linux full time for personal use compared to Windows?

More than you'd think. Of course, Windows has more users, but that's because computer-illiterate people can't or won't change the OS that came with their computer.
This post was brought to you by boredom.

Any desktop computer will crash at some point with any os. So far Windows XP has have a good record of not crashing besides some 3rd party programs. But it will have a os crash.

On the buffer over flow is quite easy to do. All it is, is sending a bunch of packets or request or info to the broswer.