[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sat, Apr 26, 2014 at 02:29:14PM +0100, Simon Waters wrote: > Microsoft are doing better than they were. But April's patches include > remote code exploitation critical issues across all supported platforms > which have Internet Explorer ( and Windows XP). > > I was using Microsoft as an example simply because they had the largest > piles of cash, have been emphasising security, especially in products > like IE, but it is rare a month goes by without similar critical issues. I tend to hold the view that security issues are an inherent part of software. It's not about how many people find, it's about how much is being done to prevent them in the first place and how well your patching process is. In both cases, Microsoft is doing fairly well given how big a target they are. > I doubt with Microsoft as sponsor they'll > get away with dropping Windows support for example, even if in > engineering terms it made sense. The Linux Foundation say the funding comes without any strings attached. (That's the funding from the LF to the projects, but the argument still holds. I don't think the big firms should be seend as "sponsors" either. Given how much they benefit from a secure Internet, they have a clear self-interest in giving money to this cause.) > Might simply be > better to move away and let it die. Focus the efforts on a better code > base, there are a fair few free implementations to pick from. Given how many websites weren't vulnerable to Heartbleed because they hadn't upgraded OpenSSL since March 2012, I'd say letting it die is more easily said than done. But the funding is to critical open source projects in general, not to OpenSSL in particular, so it's possible that they might decide to give it to another project. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq