There are also those "oh my goodness how could I have been so stupid"
bugs, that one can see immediately are unlikely to have complex
ramifications if fixed. Some security bugs are like that. How long did
it take for the first "ping of death" fix to appear after the problem
was reported? 30 minutes? I can't remember the OS that had the first
fix off hand... freeBSD?
Testing and so on is obviously required, but when we are dealing with
handsets we are probably not dealing with something with hardware
which can be flash updated over the network - so a product recall is
likely to be on the cards. At which point, whether it takes 24 hours or
48 to fully test is of moderately limited consequence (although halting
a production line for that long is obviously a cost).
If it is updateable over the network then we run into all kinds of
other potential problems (updates not finishing and rendering the
hardware, software or OS inoperative, naughty people updating things
wot they ought not to... Little boys with too much time on their hands
customizing their rigs...)
But I think the cjs point is right - having someone in house who can
fix the bug is the only way to guarantee you can get the show back on
the road. Open source PERMITS that, but does not require it (one can
get a support contract with an external company if one chooses), which
is a major advantage. The other "advantage" of open source is that it
is generally well understood by a large pool of people, which brings
wage costs down...
Of course "well understood" also means it is well understood by the
afore mentioned naughty boys - there are SOME benefits from "security
through relative obscurity", if only 'cuz what they can't play with
easily won't attract their attention.
Nick
> During the development phase 24 hour defect turnaround is practical. I
> would be extremely wary of fixes turned around quicker than that since
> they
> plainly haven't been tested properly....
Received on Wed Sep 15 15:48:50 2004