1. That's bollocks. Obvious bullshit. All software doesn't have the same security track record. Do you also think sendmail and seL4 have an equally poor security track record?
2. Even if everything did have an equally poor security track record, why would that mean security bugs are no more significant than any other bug?
Honestly I'm dubious you've thought about this at all.
I didn't say "all software has the same security track record". seL4 has a much better track record than Sendmail by dint of not doing very much. I'm pretty comfortable with what people do and don't think about how much thinking I've done on this topic. Done much work with L4?
Without even wading into trying to rank projects by track record, it's worth noting that "Everything has a poor security track record" and "All software doesn't have the same security track record" are not contradictory statements.
As `tptacek caught on to, I was joking since OpenBSD's published claim is such a convenient comparison to the idea upthread that Linux specifically had a poor track record.
1. That's bollocks. Obvious bullshit. All software doesn't have the same security track record. Do you also think sendmail and seL4 have an equally poor security track record?
2. Even if everything did have an equally poor security track record, why would that mean security bugs are no more significant than any other bug?
Honestly I'm dubious you've thought about this at all.
I didn't say "all software has the same security track record". seL4 has a much better track record than Sendmail by dint of not doing very much. I'm pretty comfortable with what people do and don't think about how much thinking I've done on this topic. Done much work with L4?
Then your point makes even less sense. Everything has security vulnerabilities therefore they are no different to other bug classes? What?
Without even wading into trying to rank projects by track record, it's worth noting that "Everything has a poor security track record" and "All software doesn't have the same security track record" are not contradictory statements.
Well, except OpenBSD. They’ve only had two vulns in forever.
Only two remote code execution vulnerabilities in the default configuration. But that's not the only type of security bug.
As `tptacek caught on to, I was joking since OpenBSD's published claim is such a convenient comparison to the idea upthread that Linux specifically had a poor track record.
They're trolling me. :)
You mean "in the default install, in a heck of a long time". :)