Re: open source PostgreSQL not supportable?
Date: Wed, 11 Jan 2006 09:28:27 -0000
Message-ID: <eIidncwa64a0TVneRVnyug_at_pipex.net>
> KPMG: Seattle Washington
> PWC: Seattle Washington
> Deloitte & Touche: Seattle Washington
>
> At various companies I work with all three.
>
> And they have all clearly stated that if a CFO can not guarantee the
> providence of the numbers used to make financial decisions and stated
> publicly in government filings and representations the corporations
> are at risk.
Ignoring for a moment the very many naive assumptions that seem to underly it, this seems a completely unexceptionable statement. It is a million miles away from prescribing "closed source tamper-proof" products (whatever that term may mean).
So, did any of the above named companies actually proscribe the use of open source DBMSs? Or, since Morgan's earliest comment refers to shareware (NOT open source), did they warn against using executable of unknown provenance? Did just suggest that proprietary products would be more easily trusted?
In any case, the very best assurance of confidence comes from having the source code in the public domain where it can be scrutinized, and having proof that the executable cannot have been generated from any other source. That rules out closed source products automatically. The best that one could confidently ever say about those is that no vulnerability has been discovered *so far*. The example of MS Internet Explorer (for one) shows what that is worth.
Obviously it still leaves open the question of how to establish that an executable matches a given set of open source code. I can think of ways that could be done if trusted third parties could be agreed.
It occurs to me that no matter whether one uses closed source or trusted open source DBMS software, it would be tricky (impossible) to prove not only that you had only *ever* used a trusted version, but also that none of those versions had ever been shown to have a vulnerability during the lifetime of the data!
Roy Received on Wed Jan 11 2006 - 10:28:27 CET