> > There is no doubt that most security agencies have a long list of zero- >> day exploits in their toolbox - I would hazard to suggest that they >> wouldn't be doing their job if they didn't! But I seriously doubt they >> would commission exploitable code in something that is openly >> auditable. >> >> P. >> > > P., I used to think that too... indeed, I was thoroughly convinced of it. > But reality changed my mind. Indeed. I think the assertion "OSS is somehow safer because of community audit" is a logical fallacy. How would one go about "auditing" in the first place? Even if the various Intelligence agencies are not injecting vulnerabilities then they would certainly be in a strong position to discover some of the holes already existing some time before they become public. Unless you're operating an air gap network you can be damn sure that 'they' can get into your systems if they really want to. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos