Den 04/08/2015 19.18 skrev "Christopher Morrow" <morrowc.lists@gmail.com>:
On Tue, Aug 4, 2015 at 12:51 PM, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
On 4 August 2015 at 18:48, Joe Greco <jgreco@ns.sol.net> wrote:
However, the original point was that switching from BIND to Unbound or other options is silly, because you're just trading one codebase for another, and they all have bugs.
It is equally silly to assume that all codebase are the same quality and have equally many bugs. Maybe we should be looking at the track record
of
those two products and maybe we should let someone do a code review. And then choose based on that.
because: 1) historical results matter here? (who looked at which products over what period of time, with what attention to detail(s) and which sets of goals?) 2) the single person doing a code review is likely to see all of the problems in each of the products selected?
Maybe not but a code review can tell what methods are used to safe guard against security bugs, the general quality of the code, the level of automated testing etc. History can give hints to the same. If it had a lot of bugs discovered it is likely it is not good quality in a security perspective and more bugs can be expected. It is called due diligence. The aim is not to find the bugs but to evaluate the product. Regards Baldur