“At Security Focus, Elias Levy has posted a Critique of Open
Source Security. He’s made some bad assumptions that I feel
invalidate most of his criticism. Here’s my rebuttal.”
“The Gauntlet firewall published by Trusted Information
Systems was not an Open Source program. It’s what we call
“disclosed source-code”, and that’s very important because that
difference means that nobody had much reason to read it or work on
it. The software license didn’t provide them any incentive to
do so – you would have only been fixing bugs in a program that
somebody else has an exclusive right to sell. Who wants to be the
unpaid employee of another company? With real Open Source, you have
the same right to sell the program as anyone else, or to distribute
it for free, for that matter, and thus you aren’t some company’s
unpaid dupe.”
“At the time of the Morris Internet worm, the BSD software
distribution of which Sendmail is a part was under a restrictive
license and required an expensive ATT Unix license before you could
get the system. This is also not what we today know as Open Source.
Besides, you are writing about the epochal Internet virus, and few
people even considered Internet security before that event.”