"All software has bugs" is the most meaningless statement ever. It is just used for bonding with fellow bug writers who sit at a virtual campfire and muse about inevitabilities.

Demonstrably some software has fewer bugs, and its authors are often hated, especially if they are a lone author like Bernstein. Because it must not happen!

Projects with useless churn and many bug reports are more popular because only activity matters, not quality.

▲

zamadatix 2 hours ago | parent [-]

"All software has bugs" so "be wary of the one trying to say they haven't had any in 3 years" not so "I guess all are equal". For extremely low security bug rates either the scope is extremely narrow, the claim is dubious, or the project is a massive effort which the community talks about directly in posts rather than plugs (e.g. curl).

▲

strenholme 2 hours ago | parent [-]

DJB, with Qmail and DjbDNS (as well as Publicfile, which didn’t catch on in an era of CGI scripts), showed that one could have (mostly) security bug free software without the scope being “extremely narrow”, and without the claim being “dubious”.

It’s not normal for software to be so poorly written, one doubts the claim that a security bug hasn’t been found in over three years. If one thinks the claim of no security bugs of consequence in three years is dubious, feel free to do a security audit of MaraDNS (or DjbDNS, which I also will take responsibility for even though my software is, if you will, a “competitor” to DjbDNS), and report any bugs you find.

Speaking of DJB, DjbDNS has had a few security bugs over the years (but not that many), but I’m maintaining a fork of DjbDNS with all of the security bugs I know about fixed:

https://github.com/samboy/ndjbdns

I am saying all this as someone who has had significant enough issues with DJB’s software, I ended up writing my own DNS server so I didn’t have to use his server (I might not had done so if DjbDNS was public domain in 2001, but oh well).

(As a matter of etiquette, it’s a little rude to claim someone is saying something “dubious”, especially when the claim is backed up with solid evidence [multiple audits didn’t find anything of significance in the last year, as I documented above], unless you have solid evidence the claim is dubious, e.g. a significant security hole more recent than three years old)

▲

3ASAF an hour ago | parent | next [-]

People here don't know that MaraDNS was already popular on extremely critical security mailing lists that basically hated anything but qmail and postfix. If you introduce more bugs and blog about them, it will probably gain in popularity. :)

▲

fc417fc802 an hour ago | parent | prev [-]

> It’s not normal for software to be so poorly written, one doubts the claim that a security bug hasn’t been found in over three years.

Can you back that claim up with at least some sort of theory? Because it doesn't match my perception of the real world, nor does it match my mental model of how CVEs happen.

▲

strenholme an hour ago | parent [-]

Yes, I can.

https://samboy.github.io/MaraDNS/webpage/DNS.security.compar...

Also, my sister post: https://news.ycombinator.com/item?id=48112042

	▲	fc417fc802 an hour ago \| parent [-]
		Is that not begging the question? You have asserted X and now you point to a particular track record to back the claim of X up but the track record only serves as valid evidence of X if we already accept your assertion that X is the case.