To put it simply, if I buy a car and find that the door-lock doesn't work I would demand, at least, that the lock was changed for one that worked.

Why should we expect less from a software vendor? If they write code that doesn't work correctly (and yes that does include security, just as with a car) then they should bear the cost of fixing it.

Also, the maintainers of thousands of software packages you refer to *are* the open-source community. You only have to look at the gnu, debian or gentoo mailing lists to see that the volunteer open-source community *does* do a lot.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23905#23905