RES: Exploits start against flaw that could hamstring huge swaths

Baldur Norddahl baldur.norddahl at gmail.com
Tue Aug 4 21:21:00 UTC 2015


Den 04/08/2015 19.18 skrev "Christopher Morrow" <morrowc.lists at gmail.com>:
>
> On Tue, Aug 4, 2015 at 12:51 PM, Baldur Norddahl
> <baldur.norddahl at gmail.com> wrote:
> > On 4 August 2015 at 18:48, Joe Greco <jgreco at ns.sol.net> wrote:
> >
> >> However, the original point was that switching from BIND to Unbound
> >> or other options is silly, because you're just trading one codebase
> >> for another, and they all have bugs.
> >
> >
> > It is equally silly to assume that all codebase are the same quality and
> > have equally many bugs. Maybe we should be looking at the track record
of
> > those two products and maybe we should let someone do a code review. And
> > then choose based on that.
>
> because:
>   1) historical results matter here? (who looked at which products
> over what period of time, with what attention to detail(s) and which
> sets of goals?)
>   2) the single person doing a code review is likely to see all of the
> problems in each of the products selected?
>

Maybe not but a code review can tell what methods are used to safe guard
against security bugs, the general quality of the code, the level of
automated testing etc. History can give hints to the same. If it had a lot
of bugs discovered it is likely it is not good quality in a security
perspective and more bugs can be expected.

It is called due diligence. The aim is not to find the bugs but to evaluate
the product.

Regards

Baldur



More information about the NANOG mailing list