Comment Re:Not provably secure (Score 1) 185
Since Halloween was yesterday:
Kriston, if there are no candies at the store, the store has no candies for sale. That's not to say there couldn't be any candies left in a drawer by accident, but, no one knows if they exist, hence the above still holds true: the store has no candies for sale. There is no need for an external audit, because, even if you found some candies in a drawer as a result of the audit, the store still had no candies for sale at the time when they claimed they didn't have candies for sale (unless the audit finds tons of candies not disclosed to the public, which is not the case here).
Your argument about the community doesn't hold either. Here's a counter-example: I'm part of an extremely small group of people dealing with a specialized web application. There are only about 20 people in the world using it. I've found at least 10 critical security holes in the default install, just by using it. I've patched about 20 minor bugs, and I'm just a user, I'm not on the developer/QA team. When a product has issues, the community (regardless of size) will still find a percentage of the total issues available. The fact that OpenBSD had 3 issues found in the default install in a decade is impressive, especially since they have _way more_ than 20 users in the entire world AND OpenBSD, as a package, is enormous, with hundreds of utilities and dozens of services waiting to be exploited. But, where are the exploits? That's right.
So, in that context, it's a hell of a lot more secure than other OSes. q.e.d.
Kriston, if there are no candies at the store, the store has no candies for sale. That's not to say there couldn't be any candies left in a drawer by accident, but, no one knows if they exist, hence the above still holds true: the store has no candies for sale. There is no need for an external audit, because, even if you found some candies in a drawer as a result of the audit, the store still had no candies for sale at the time when they claimed they didn't have candies for sale (unless the audit finds tons of candies not disclosed to the public, which is not the case here).
Your argument about the community doesn't hold either. Here's a counter-example: I'm part of an extremely small group of people dealing with a specialized web application. There are only about 20 people in the world using it. I've found at least 10 critical security holes in the default install, just by using it. I've patched about 20 minor bugs, and I'm just a user, I'm not on the developer/QA team. When a product has issues, the community (regardless of size) will still find a percentage of the total issues available. The fact that OpenBSD had 3 issues found in the default install in a decade is impressive, especially since they have _way more_ than 20 users in the entire world AND OpenBSD, as a package, is enormous, with hundreds of utilities and dozens of services waiting to be exploited. But, where are the exploits? That's right.
So, in that context, it's a hell of a lot more secure than other OSes. q.e.d.