Re: Re: Funny article

[David Maynor <dave () 0dayspray com>]

On Thu, Nov 13, 2003 at 03:20:14AM +0100, Mikael Olsson wrote:
> I'm sorry to disappoint you, but the script kiddies don't care
> about zealotry. I have yet to hear one say "Oh, this is a Linux
> box, so I can't use this Apache bug to own it. That'd be rong."
I don't think anybody said a linux box can't be owned with an apache
flaw. My arugemnt for count of bugs is the should be counted against the
people who actually WROTE the code. In Microsofts case it is becasue
they wrote IIS, 2000/XP/2003, and Exchange. In contrast the Linux kernel
projecn that just wrote the kernel. It sounds like you want a list of
opensource bugs vs. Microsoft Bugs.

> Saying "the linux kernel has only foo bugs while every microsoft
> app combined has foo^3 bugs" makes no sense in a security 
> discussion. You don't read mail or serve web pages with a kernel.
No one is saying this. To be truely useful a list of bugs should be done
by developer, not by instance of software. This will help establish
trends in my software development practices.

> Publishing an _unbiased_ report of total vulnerability counts 
> for two or more OSes, with common apps installed, is a service
> to admins everywhere.  (And no, I _really_ don't think comparing 
> RH6 with W2K3 is "unbiased". I think it stinks.)
I think blaming OS developers for code they didn't write nor have any
control over isn't unbiased. It would be a diffrent story if it was a
flaw in something like redhat-update. That is clearly a Redhat bug, but
that is still not a Linux bug.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html