Re: Making the case for Django (vs. Drupal)

On Mon, 16 Nov 2009 08:53:26 +0530, Kenneth Gonsalves <lawgon@au-kbc.org>
wrote:
> On Monday 16 Nov 2009 6:50:10 am Christophe Pettus wrote:
>> On Nov 15, 2009, at 5:10 PM, Kenneth Gonsalves wrote:
>> > I do also point out to plone vs drupal, but there again the
>> > argument is the drupal is more widely used and hence has more
>> > observable
>> > vulnerabilities. It does not sound logical.
>>
>> I don't think that anyone is seriously arguing that a piece of
>> software being widely adopted somehow creates new security
>> vulnerabilities in it. I believe the assumption is that all software
>> of a given level of complexity has roughly the same number of
>> vulnerabilities, either exposed or hidden. Thus, the more used a
>> piece of software, the more attention the bad guys give it, and thus
>> the more of those hidden security problems become exposed.
>>
>
> it is precisely this assumption that does not seem logical to me. But
> frankly
> I do not know how to counter it ;-)

It is quite simple. Say you write a letter. You proofread the result.
You give it to someone else to proofread and it's likely he/she finds
a few more typos. The longer the letter, the more mistakes you'll
make (absolute), while the percentage might stay the same.
The more eyes look at it, the better your chances are that you will
send a flawless letter.
Now, the question arises whether a program is more secure if it has
more exposure (proofreaders) or less and a bit of both is true.
The more proofreaders the less chance a bug remains, yet since
exploiting the bug requires knowledge to be shared and/or
incorporated into attack software, the chance that *you* as a user
gets exploited through one of these bugs lessens.
Think of this as the difference between a cabin in the mountains,
no locks on the door and a 5 mile steep hike to get there, versus
a bank downtown. Obviously, the bank is more secure, yet it's
much less likely that someone will try and rob the cabin.
--
Melvyn Sopacua

--

You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=.