Very nicely said Bloudraak "Its somewhat of a fallacy to assume that open source projects are being reviewed and audited" Agreed, but many of the open source packages that UTM uses have extremely good governance, as they also have a very widely used commercial branch. Those that are purely free, are so ubiquitous within the linux world that they must be reviewed and updated frequently or risk being dropped by the distros that use them, which are used by governmental entities, banks, etc. We are of course also making an assumptive leap about code reviews. Let's take Juniper for example. They have stated that they're doing a code review in order to put their customers minds at ease after the recent issue. Will they put 1000 of the best programmers and code security auditors in the world on it, using the greatest debuggers and software auditing tools ever created, or do they put Bubba who just created his first "Hello World" together 2 months ago on it. We just don't know. There is only one guarentee, that requires no assumptions. There will still be bugs and vulnerabilities in code that no one has either thought to exploit yet... or is willing to. This was fun. ....and you are correct that it can't be stated to the public, but suffice it to say that Sophos does have a vetting process for its' code. :)
↧