on Thu, Dec 04, 2003 at 06:21:33PM +0100, Johannes Zarl (johannes.zarl@ahl.uni-linz.ac.at) wrote:
Content-Description: signed data
> On Thursday 04 December 2003 17:43, Tom wrote:
> > On Thu, Dec 04, 2003 at 10:15:12AM -0600, John Hasler wrote:
> > > ... That's why the kernel
> > > developers thought it was just an ordinary bug: they could see no way
> > > to exploit it.
> >
> > That statement is somewhat disconcerting. The hypothesis is that many
> > eyes detect secure bugs, and here is clear case evidence contradicting
> > that hypothesis.
>
> <nitpicking>
> Actually, the hypothesis is that many eyes detect severe bugs more likely.
> So one severe bug going undetected (or in this case underestimated)
> doesn't disprove the hypothesis.
> </nitpicking>
It was detected, all right.
I just wasn't reported back to Kernel Development as a security bug
directly.
> > One must assume there are more bugs in this class.
>
> Definitely. Like in every big software-project one must assume there are
> (severe) bugs going undetected.
IIRC, it was a prior nonproductive thread with "Tom" which pointed out
seeding and metrics as a way of estimating such bug counts.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
The truth behind the H-1B IT indentured servant scam:
http://heather.cs.ucdavis.edu/itaa.real.html
Attachment:
pgp6r5SmOz8dU.pgp
Description: PGP signature