Thanks for your resonse.

If I were running the mailing list in question it would not be top secret. But I’m not. As it stands, the list has the usual signal to noise ratio (miniscule) and the added nonsense of various open source zealots arguing over how many angels fit on the head of a software license.

I’ve posted a couple of other thoughts to this blog spurred by that list, and I’m likely to do it again.

I’m not sure our views are in opposition when it comes to the Fortify postings. Hence the term “dust up”. TTL 250ms.

gem

Am I the only person who sees the irony of this? You’re talking about a secret mailing-list. In other words, “invite-only”. Also plague to any risks against the Trusted-Introducer model, including sockpuppets. The listserv probably runs on open-source software, which probably contains at least one security-related bug. Oh and the SMTP delivery is universally cleartext.

Even though you don’t mention the name of the list, or what qualifications it takes to join — thanks for re-posting some of the “secret information” on your blog for the rest of the world to see.

I think we have opposing views on this topic, but not in the regular, obvious way. I think Mozilla is the best example of bad software security practices. Try comparing SELinux to CA ACF2/TS as a better example of FOSS vs. Commercial.

Also, I think if the only lessons-learned that we can take out of the Fortify paper is that software risk applies to everyone — then yeah duh… we already knew that, ok?

I just saw it as a Fortify press release to stir up some discussion, especially by coordinating with Larry Suto.