From a friend who shall remain nameless, lest he get flamed to oblivion. I think this speaks for itself. Physician, heal thyself.
Eric Raymond coined the term “Many eyes make all bugs shallow”. he has an open source product, Fetchmail. in the last six months there have been at least four serious buffer overruns in the product:
| Oldest affected version | Release date</td? | Vuln date | Days til found | CVE Number | Short comment |
| 5.3 | 2/22/20 | 10/11/02 | 962 | CAN-2002-1174 | long headers |
| 5.3 | 2/22/00 | 10/11/02 | 962 | CAN-2002-1175 | DNS records |
| 5.9 | 8/13/01 | 12/23/02 | 497 | CAN-2002-1365 | “@”s in local addresses |
| 2.5 | 12/23/96 | 6/25/02 | 2010 | CAN-2002-0146 | Message limits |
look at the length of time from the defective version being released to the date the defect was found (or at least made public). makes you wonder about the “many eyes” philosophy, doesn’t it 🙂
note, the version release date comes from ESR’s news page
Paul's Down-Home Page 