Re: Evaluating subversion for an enterprise installation

From: Paul Koning <pkoning_at_equallogic.com>
Date: 2005-12-02 16:16:40 CET

>>>>> "David" == David Johnson <johnson_d@cox.net> writes:

David> 3a. There is a mindset issue I need to address. Specifically,
David> I need to demonstrate that having open source code does not
David> make the product less secure. Has anyone addressed this
David> before? Are there some good references and/or case studies?

It's well established that open source is MORE secure. More eyes on
the code. No expectation that sloppy coding is allowed because no one
will ever see the code and spot the holes.

Some people have the confused belief that keeping the workings of the
machinery secret is helpful to security. It is not. This has been an
absolute rule in the encryption community for over a century:
Kasiski's principle (if I remember right) -- every detail of the
machinery is known, the only thing secret is the keys. That is the
basis on which three-letter agencies have evaluated cipher systems for
a century now -- clearly that is the right basis for looking at
software security.

paul

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Dec 2 16:26:50 2005

This message: [ Message body ]
Next message: Kjell Harald Andersen: "Sponsoring features (Bundles)"
Previous message: Adalberto Castelo: "Re: coping with different coding styles"
In reply to: David Johnson: "Evaluating subversion for an enterprise installation"
Next in thread: Hernan Martinez - ECC: "RE: Evaluating subversion for an enterprise installation"
Reply: Hernan Martinez - ECC: "RE: Evaluating subversion for an enterprise installation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]