Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: Rhialto <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 04/10/2006 21:39:19
On Mon, Apr 10, 2006 at 10:49:56PM +0200, Rhialto wrote:
> On Mon 10 Apr 2006 at 16:34:32 -0400, David Maxwell wrote:
> > I couldn't disagree more.
> > Are you suggesting that companies shouldn't contribute to open source
> > projects because they'll then come under fire for not "giving away"
> > the way they make their business work?
> It makes it more difficult to verify what is going on. Many security
> analists argue that full disclosure of any security bugs in products is
> the best overall strategy. Do we know now if all problems that are found
> are being disclosed, or if perhaps some are witheld? I guess we can't
> check. (Yes, I tend to be paranoid)
I'd just like to understand this a little better. Please help me.
Are you suggesting that we could somehow _prevent_ Coverity from
running their scanner over our source tree?
If so, how, exactly?
If not, then how, exactly, are we any worse off if they tell us about
_any_ of the bugs they find? Every bug we learn about, however we
learn about it, is a bug we can try to fix.
Whether you think they are nefariously holding back some secret set of
bugs or not, we cannot _stop_ them from finding such (hypothetical)
bugs, and in any event the (supposed) existence of such bugs in no
way diminishes the benefit to us of fixing any bugs we _do_ learn