On Wed, 24 Oct 2007, Jeremy Huiskamp wrote:

quoted text
> On 24-Oct-07, at 5:59 PM, L. V. Lammert wrote:
> > At 03:31 PM 10/24/2007 -0600, Theo de Raadt wrote:
> >> You must be more qualified with regards to the actual code than I am
> >> because I flat out don't believe this at all.
> >
> > Believe what? OBSD is secure? I thought you were proud of the
> > project? Sheesh! If our leader doesn't believe OBSD is secure, we
> > ALL better be running for cover. Linux, anyone?
>
> So you judge the security of the operating system by how many
> (possibly brash) risks its developers are willing to take with it?
>
Huh? What does that have to do with the number of known exploits for a
given OS?

A simple measure of an OS 'security' is the simple metrics of known
exploits that have been identified.

Certainly OBSD ranks high on the list, which is one reason why we're here.
Certailny good developers are important and appreciated.

The fact that Microshaft crap has hundreds or thousands of vulnerabilities
is the other extreme of the list.

quoted text
> That's counter-intuitive.  If I'm looking for security, I'd rather
> get my software from a developer who isn't satisfied because (s)he is
> more likely to work harder to improve it and be much more careful
> while doing it.  If confidence is all that matters, then heck, lets
> get rid of all the privilege separation and other risk-minimizing
> techniques because you don't need them when your code is flawless right?
>
I have no clue what you're trying to say??? The original comment was the
the number of vulnerabilities is a inverse measure of the security risk
associated with a given OS.

	Lee

================================================
  Leland V. Lammert            lvl@omnitec.net
    Chief Scientist     Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net
================================================