[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: ssh based access?

From: Alex Holst <a_at_area51.dk>
Date: 2002-04-16 05:32:46 CEST

Quoting Perry E. Metzger (perry@wasabisystems.com):
> It isn't a question of what we would like. In general, once an app
> gets too large you can't audit it, and Apache is way way bigger than
> you can audit.

Nonsense, it just requires more of an effort. I'm as (much more,
actually) concerned about the assurance of the software I use as the
next guy, but saying "it's too big to audit" is FUD. I agree it is a
substantial codebase, but it is not an impossible task. It helps when
someone other than the vendor is willing to testify to the quality of a
piece of software. Brian Snow's talk on "We Need Assurance" (available
as streams on the blackhat.com site) explains some of this.

I recall that OpenBSD fed patches of 1.x back to the Apache developers.
I see no reason that they won't do this with 2.0 if they decide that
Subversion takes the place of cvs.openbsd.org -- which also runs Apache.

Apache 1.3.x has greater levels of assurance attached to it than OpenSSH
currently does. Apache 2.x currently carries almost no assurance but
eventually, it will. If you require greater assurance than "almost
none", and you require it _now_ get your NetBSD code reviewers out of
bed, cause there's work to be done.

Alex

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                  http://a.area51.dk/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 16 05:33:39 2002

This is an archived mail posted to the Subversion Dev mailing list.