On Mon, Jun 27, 2005 at 09:35:08PM +0100, Gordon, JC (John) wrote:
> David, I am convinced of the merits of open source but also of the
> rights of developers not to take that route.
>
> My last paragraph had its meaning changed by a last minute edit. When I
> said I didn't have a solution, I meant to the use case of the sysadmin
> who wants to eyeball everything. For the general case of scrutiny of non
> open software we do have an option which is for certification by some
> trusted third party. Would GridPP sysadmins feel happier about software
> which had been scrutinised and approved by someone they knew? Say Jens
> or Andrew MacNab? I am trying to get EGEE to introduce some sort of
> security review of middleware as part of EGEE2.
As a sysadmin i would feel slightly happier if someone in GridPP
went through the code but thats *far* away from getting me happy.
With Open Source it's not that it's just me looking at the code but
it's *all* of us together. It's easy for one persopn to miss something
but if more of us have access to the code then it's less likely that
we'll miss something.
I *do* try to find holes at d-cache (or any other software) and if
i find a security hole in a closed source software my only option
is to disable it. On the other hand if it's open source i can try
to fix the problem. Which software do you think is going to be better
a few years down the line?
Kostas
|