> Not if there aren't holes in it.  OpenBSD is a great example of this.
> They've only distributed software that had a root exploit once in 7
> years.  Anybody can look at the code, but if there's no way to get in,
> there's no way to get in.

I'm a great advocate of BSDs, especially OpenBSD, but that's not strictly
true.

The claim isn't one root exploit in 7 years. It's had a few, potential, root
exploits. The claim is, and taken straight from http://www.openbsd.org, "Only
one remote hole in the default install, in more than 7 years". There's a
world of difference. Local holes are pretty minor compared to remote - most
machines you can assume to have little to no local access. Remote holes are
the serious ones, and it's had some. The key term in their claim is "default
install". The default install ships with pretty much everything turned off.
So if you got every release of OpenBSD and installed it and did not configure
it, you'd only be privy to one remote exploit. But if you started to turning
on services you would become more and more vulnerable, just like any OS.

That being said, the OpenBSD team is very strict about what gets let in to
their 'distribution' and have regular code reviews for things like buffer
exploits, etc.

Michael
--

Overflow on /dev/null, please empty the bit bucket.

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads