[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Evaluating subversion for an enterprise installation

From: Paul Koning <pkoning_at_equallogic.com>
Date: 2005-12-02 16:16:40 CET

>>>>> "David" == David Johnson <johnson_d@cox.net> writes:

 David> 3a. There is a mindset issue I need to address. Specifically,
 David> I need to demonstrate that having open source code does not
 David> make the product less secure. Has anyone addressed this
 David> before? Are there some good references and/or case studies?

It's well established that open source is MORE secure. More eyes on
the code. No expectation that sloppy coding is allowed because no one
will ever see the code and spot the holes.

Some people have the confused belief that keeping the workings of the
machinery secret is helpful to security. It is not. This has been an
absolute rule in the encryption community for over a century:
Kasiski's principle (if I remember right) -- every detail of the
machinery is known, the only thing secret is the keys. That is the
basis on which three-letter agencies have evaluated cipher systems for
a century now -- clearly that is the right basis for looking at
software security.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 2 16:26:50 2005

This is an archived mail posted to the Subversion Users mailing list.