undefined | Better HN

0 pointsfc417fc80213d ago0 comments

When you offer up an alternative as technically superior in some manner then yes, it is on you to demonstrate such a claim in a convincing manner. "No bugs in 3 years in this software with a much smaller audience and also look AI audits!" comes across as off topic shameless self promotion. At least if an insightful technical discussion ensued the subthread might prove worthwhile but so far it's just the usual tired shit flinging.

0 comments

strenholme13d ago

I have far more evidence of a very good security record with MaraDNS than “No bugs in 3 years in this software with a much smaller audience and also look AI audits!”

• The software has been around for 25 years

• The software is popular enough to have been subjected to dozens of security code audits, including two audits in the post-AI era

• In those 25 years, only two remote “packet of death” bugs have been found

• Also, in those same 25 years, only one single bug report of remotely exploitable memory leaks has been found

This isn’t something which, as implied here, has a lot of security bugs only because no one has used or audited the software. This is a long term, mature code base which has only had a few serious security bugs in that timeframe.

Here is my evidence:

https://samboy.github.io/MaraDNS/webpage/security.html

If this evidence isn’t “convincing” to you, I don’t know what evidence would be “convincing”.

fc417fc802OP13d ago

For what it's worth I didn't know about maradns prior to this. Maybe it actually sees fairly wide use? Whether or not I accept your evidence would hinge on that. Regardless I think my point stands - if you don't lead with a convincing line of reasoning all that's left is an empty assertion. Unless I happen to recognize you as an authority in the field that's not going to do anything for me since by default you're some stranger on the internet that might be a dog for all I know.

To illustrate the issue with an extreme example, consider that a disused repository on github full of security holes is highly unlikely to have any CVEs regardless of age. The software has to present a worthwhile target (ie have a substantial long term userbase) before anyone will bother to look for exploits. (I guess that might change in the near future thanks to AI but I don't think we're there just yet.)

j / k navigate · click thread line to collapse