Home > Blogs > Open Source Security

Open Source Security

By  Aug 21, 2007

Topics: Open Source

I like Open Source, but I don't like vendors who munge versions or who don't update their code quickly enough.  That said, can't you type 'make'?

Security newsletters are bad mouthing Apple because Apple seldom updates their Samba implementation.  Get in line.  I once saw a major hole in wuftpd patched in hours by the the wu group yet remain unpatched by a major UNIX vendor for some 9 months!

Why are vendors slow at patching their adaptations of Open Source distributions?  Who Cares???  Why aren't you compiling from source?

I like wu-ftp.  I know it needs patching.  Often.  So does Samba.  So does Sendmail.  Ditto for OpenSSL and OpenSSH.  Bind as well.  All code needs patching from time to time.  Accept it.  So why do so many use vendor-modified versions of Open Source software?  Why not use the native distro and get all the powers?

I couldn't get virtual ftp servers to work with the RedHat distribution.  Problem?  Support for vftpd's not compiled into their distro.  No notes to that effect.  Just a bitter realization.  What, can't people type configure with parameters?

So, if compiling from source enables you to stay current and avoid upstream vendor delays and big security holes, why do so few attempt it? 

Use the Source, Luke.

jt, Over-WAN Connectforme

Comments

comments powered by Disqus