<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_12_23_157215</id>
	<title>Is Code Auditing of Open Source Apps Necessary?</title>
	<author>CmdrTaco</author>
	<datestamp>1261586700000</datestamp>
	<htmltext>An anonymous reader writes <i>"Following Sun Microsystems' decision to release a raft of <a href="http://www.net-security.org/secworld.php?id=8639">open source applications</a> to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive &mdash; especially now that Amazon is <a href="http://tech.slashdot.org/story/09/12/15/0057232/Amazon-Introduces-Bidding-For-EC2-Compute-Time">beta testing</a> its pay-as-you-go private cloud facility &mdash; <a href="http://www.net-security.org/secworld.php?id=8655">it's important that the underlying application code is also secure</a>. What do you think?"</i></htmltext>
<tokenext>An anonymous reader writes " Following Sun Microsystems ' decision to release a raft of open source applications to support its secure cloud computing strategy , companies may be wondering if they should conduct security tests of their customized open source software before deployment .
While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive    especially now that Amazon is beta testing its pay-as-you-go private cloud facility    it 's important that the underlying application code is also secure .
What do you think ?
"</tokentext>
<sentencetext>An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment.
While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure.
What do you think?
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536630</id>
	<title>Of course! Read about the Farewell Dossier</title>
	<author>Anonymous</author>
	<datestamp>1259777880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>http://www.nytimes.com/2004/02/02/opinion/02SAFI.html?th</p><p>and here</p><p>http://en.wikipedia.org/wiki/Farewell\_Dossier</p></htmltext>
<tokenext>http : //www.nytimes.com/2004/02/02/opinion/02SAFI.html ? thand herehttp : //en.wikipedia.org/wiki/Farewell \ _Dossier</tokentext>
<sentencetext>http://www.nytimes.com/2004/02/02/opinion/02SAFI.html?thand herehttp://en.wikipedia.org/wiki/Farewell\_Dossier</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246</id>
	<title>Yes.</title>
	<author>Anonymous</author>
	<datestamp>1259775960000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>Next Question.</p></htmltext>
<tokenext>Next Question .</tokentext>
<sentencetext>Next Question.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537146</id>
	<title>Of course you should</title>
	<author>dirk</author>
	<datestamp>1259780820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Being open source in now way means a program is bug free, or even does what it claims.  Sure, chances are someone else has already found if there is something horribly wrong, but the whole point of it being open source is so you can audit it yourself.  If you don't bother to actually look at the code, it might as well be closed source, since you aren't looking at the code anyway.</p></htmltext>
<tokenext>Being open source in now way means a program is bug free , or even does what it claims .
Sure , chances are someone else has already found if there is something horribly wrong , but the whole point of it being open source is so you can audit it yourself .
If you do n't bother to actually look at the code , it might as well be closed source , since you are n't looking at the code anyway .</tokentext>
<sentencetext>Being open source in now way means a program is bug free, or even does what it claims.
Sure, chances are someone else has already found if there is something horribly wrong, but the whole point of it being open source is so you can audit it yourself.
If you don't bother to actually look at the code, it might as well be closed source, since you aren't looking at the code anyway.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536512</id>
	<title>Not just a security question</title>
	<author>Anonymous</author>
	<datestamp>1259777220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It's not just a matter of security. I would think you would want to verify, via some method (code review, etc) that the code is correct and provides the desired results, doesn't crash, is properly integrated, etc.</p><p>
&nbsp; &nbsp; &nbsp; &nbsp; Brett</p></htmltext>
<tokenext>It 's not just a matter of security .
I would think you would want to verify , via some method ( code review , etc ) that the code is correct and provides the desired results , does n't crash , is properly integrated , etc .
        Brett</tokentext>
<sentencetext>It's not just a matter of security.
I would think you would want to verify, via some method (code review, etc) that the code is correct and provides the desired results, doesn't crash, is properly integrated, etc.
        Brett</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30539128</id>
	<title>Re:It's not even really a question</title>
	<author>Xtifr</author>
	<datestamp>1259750040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong</p></div><p>Let's rephrase that--<em>may</em> lack.  There's plenty of ways you can arrange to have OSS that has someone to sue.  Most of those ways involve payment, however, which seems like a reasonable trade-off for the assumption of that risk.</p></div>
	</htmltext>
<tokenext>What 's more , since Open Source software lacks any single person you could possibly sue in case things go terribly wrongLet 's rephrase that--may lack .
There 's plenty of ways you can arrange to have OSS that has someone to sue .
Most of those ways involve payment , however , which seems like a reasonable trade-off for the assumption of that risk .</tokentext>
<sentencetext>What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrongLet's rephrase that--may lack.
There's plenty of ways you can arrange to have OSS that has someone to sue.
Most of those ways involve payment, however, which seems like a reasonable trade-off for the assumption of that risk.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536326</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536708</id>
	<title>No, don't flip the question. Answer it.</title>
	<author>elnyka</author>
	<datestamp>1259778360000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p><div class="quote"><p>How are they auditing the code of the closed source apps they're using?  If there are steps in place, use those as a minimum. <b>If there aren't, then how's the blind faith of using those programs different than what's needed for open source?</b></p> </div><p>Flipping the question does not answer the original one, which is a valid one and which deserves an answer. The answer is, just like anything, it depends. It depends on the open source artifacts in question; it depends on the specific audit/security requirements; it depends on how critical the app under development is; it depends on SLA agreements (if one exists and requires it.)</p><p>

As you said, if there are steps in place, use those as a minimum, <i>provided that they are sufficient for the requirements at hand</i>.</p><p>

If there aren't any, you can't just cross your arms and say "well, if I didn't do them with COTS, why would I with FOSS"? If there aren't, <b>and your project requires them</b>, then shit, you implement them.</p><p>

The question of whether to sec audit something, be it COTS or FOSS is predicated by the requirements at hand, not on whether a previous usage of COTS (or FOSS) was properly audited in the past.</p></div>
	</htmltext>
<tokenext>How are they auditing the code of the closed source apps they 're using ?
If there are steps in place , use those as a minimum .
If there are n't , then how 's the blind faith of using those programs different than what 's needed for open source ?
Flipping the question does not answer the original one , which is a valid one and which deserves an answer .
The answer is , just like anything , it depends .
It depends on the open source artifacts in question ; it depends on the specific audit/security requirements ; it depends on how critical the app under development is ; it depends on SLA agreements ( if one exists and requires it .
) As you said , if there are steps in place , use those as a minimum , provided that they are sufficient for the requirements at hand .
If there are n't any , you ca n't just cross your arms and say " well , if I did n't do them with COTS , why would I with FOSS " ?
If there are n't , and your project requires them , then shit , you implement them .
The question of whether to sec audit something , be it COTS or FOSS is predicated by the requirements at hand , not on whether a previous usage of COTS ( or FOSS ) was properly audited in the past .</tokentext>
<sentencetext>How are they auditing the code of the closed source apps they're using?
If there are steps in place, use those as a minimum.
If there aren't, then how's the blind faith of using those programs different than what's needed for open source?
Flipping the question does not answer the original one, which is a valid one and which deserves an answer.
The answer is, just like anything, it depends.
It depends on the open source artifacts in question; it depends on the specific audit/security requirements; it depends on how critical the app under development is; it depends on SLA agreements (if one exists and requires it.
)

As you said, if there are steps in place, use those as a minimum, provided that they are sufficient for the requirements at hand.
If there aren't any, you can't just cross your arms and say "well, if I didn't do them with COTS, why would I with FOSS"?
If there aren't, and your project requires them, then shit, you implement them.
The question of whether to sec audit something, be it COTS or FOSS is predicated by the requirements at hand, not on whether a previous usage of COTS (or FOSS) was properly audited in the past.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536442</id>
	<title>Re:Flip the question.</title>
	<author>Anonymous</author>
	<datestamp>1259776920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It's not uncommon for large organizations to require access to code, have a third party audit it, or require some form of liability insurance from the vendor when closed source code is purchased. There's also the not very reliable, and very dangerous, assumption that vendors have already vetted the code against malicious/non-secure code.</p><p>For open source code - there's no-one accountable vouching for the code or offering insurance - so organizations are forced to audit the code  Plus there's the usually wrong, overly paranoid but safer assumption that the code might well harbor something malicious/non-secure.</p></htmltext>
<tokenext>It 's not uncommon for large organizations to require access to code , have a third party audit it , or require some form of liability insurance from the vendor when closed source code is purchased .
There 's also the not very reliable , and very dangerous , assumption that vendors have already vetted the code against malicious/non-secure code.For open source code - there 's no-one accountable vouching for the code or offering insurance - so organizations are forced to audit the code Plus there 's the usually wrong , overly paranoid but safer assumption that the code might well harbor something malicious/non-secure .</tokentext>
<sentencetext>It's not uncommon for large organizations to require access to code, have a third party audit it, or require some form of liability insurance from the vendor when closed source code is purchased.
There's also the not very reliable, and very dangerous, assumption that vendors have already vetted the code against malicious/non-secure code.For open source code - there's no-one accountable vouching for the code or offering insurance - so organizations are forced to audit the code  Plus there's the usually wrong, overly paranoid but safer assumption that the code might well harbor something malicious/non-secure.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536360</id>
	<title>Ummm... why *wouldn't* you do this?!</title>
	<author>Anonymous</author>
	<datestamp>1259776620000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>If you're trying to build a secure system, why would you *not* audit every piece of code, open- or closed-source? Doesn't kinda defeat the purpose if you have no idea how secure a piece of software you depend on is? For that matter, is there anyone on<nobr> <wbr></nobr>/. that would (seriously) suggest the opposite?</p></htmltext>
<tokenext>If you 're trying to build a secure system , why would you * not * audit every piece of code , open- or closed-source ?
Does n't kinda defeat the purpose if you have no idea how secure a piece of software you depend on is ?
For that matter , is there anyone on / .
that would ( seriously ) suggest the opposite ?</tokentext>
<sentencetext>If you're trying to build a secure system, why would you *not* audit every piece of code, open- or closed-source?
Doesn't kinda defeat the purpose if you have no idea how secure a piece of software you depend on is?
For that matter, is there anyone on /.
that would (seriously) suggest the opposite?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537354</id>
	<title>Re:I thought auditing was the whole point</title>
	<author>Anonymous</author>
	<datestamp>1259782200000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>The funny thing is, how many people are actually eyeballing the code? Are you, or do you just assume thousands of other people are?</p></htmltext>
<tokenext>The funny thing is , how many people are actually eyeballing the code ?
Are you , or do you just assume thousands of other people are ?</tokentext>
<sentencetext>The funny thing is, how many people are actually eyeballing the code?
Are you, or do you just assume thousands of other people are?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536716</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536754</id>
	<title>Re:Flip the question.</title>
	<author>nitehawk214</author>
	<datestamp>1259778660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>How are they auditing the code of the closed source apps they're using?  If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?</p></div><p>Good point... however I would posit that <b>somebody</b> had better be auditing the code, be it open source or closed. In the closed case, it should be the vendor itself, or a neutral 3rd party. Now granted there is no guarantee that it is done properly in the closed source case, but that should be part of the vendor's liability. (yeah yeah, vendors dont take liability for shrink-wrap software, but they typically do for custom projects)</p><p>As far as open source goes... none of us have the time or manpower to audit all of Apache or Linux. But with giant projects that millions of popele use, and have entire industries designed to support, we dont need to audit it. Smaller apps with few users should be scrutinized more closely.</p></div>
	</htmltext>
<tokenext>How are they auditing the code of the closed source apps they 're using ?
If there are steps in place , use those as a minimum .
If there are n't , then how 's the blind faith of using those programs different than what 's needed for open source ? Good point... however I would posit that somebody had better be auditing the code , be it open source or closed .
In the closed case , it should be the vendor itself , or a neutral 3rd party .
Now granted there is no guarantee that it is done properly in the closed source case , but that should be part of the vendor 's liability .
( yeah yeah , vendors dont take liability for shrink-wrap software , but they typically do for custom projects ) As far as open source goes... none of us have the time or manpower to audit all of Apache or Linux .
But with giant projects that millions of popele use , and have entire industries designed to support , we dont need to audit it .
Smaller apps with few users should be scrutinized more closely .</tokentext>
<sentencetext>How are they auditing the code of the closed source apps they're using?
If there are steps in place, use those as a minimum.
If there aren't, then how's the blind faith of using those programs different than what's needed for open source?Good point... however I would posit that somebody had better be auditing the code, be it open source or closed.
In the closed case, it should be the vendor itself, or a neutral 3rd party.
Now granted there is no guarantee that it is done properly in the closed source case, but that should be part of the vendor's liability.
(yeah yeah, vendors dont take liability for shrink-wrap software, but they typically do for custom projects)As far as open source goes... none of us have the time or manpower to audit all of Apache or Linux.
But with giant projects that millions of popele use, and have entire industries designed to support, we dont need to audit it.
Smaller apps with few users should be scrutinized more closely.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537320</id>
	<title>looks like the point has been lost</title>
	<author>Anonymous</author>
	<datestamp>1259782020000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>uh... look.. part of the whole point of open source software is the fact that it CAN be audited!  any and all software should be audited and tested to its fullest extent before going into production.  i know this doesn't always happen in the corporate environment, but that does not change the fact that it SHOULD be done!  people are right, just because something is open source doesn't mean it's automagically secure, it means that people can audit code and submit bug reports when they find insecurities which, in turn, lets the developers make the code more secure.  Christ, why does this question even need to be posed?  has everyone forgotten how the open source community is supposed to work?  i think it may just be that the corporate people are coming in without a clue.</p></htmltext>
<tokenext>uh... look.. part of the whole point of open source software is the fact that it CAN be audited !
any and all software should be audited and tested to its fullest extent before going into production .
i know this does n't always happen in the corporate environment , but that does not change the fact that it SHOULD be done !
people are right , just because something is open source does n't mean it 's automagically secure , it means that people can audit code and submit bug reports when they find insecurities which , in turn , lets the developers make the code more secure .
Christ , why does this question even need to be posed ?
has everyone forgotten how the open source community is supposed to work ?
i think it may just be that the corporate people are coming in without a clue .</tokentext>
<sentencetext>uh... look.. part of the whole point of open source software is the fact that it CAN be audited!
any and all software should be audited and tested to its fullest extent before going into production.
i know this doesn't always happen in the corporate environment, but that does not change the fact that it SHOULD be done!
people are right, just because something is open source doesn't mean it's automagically secure, it means that people can audit code and submit bug reports when they find insecurities which, in turn, lets the developers make the code more secure.
Christ, why does this question even need to be posed?
has everyone forgotten how the open source community is supposed to work?
i think it may just be that the corporate people are coming in without a clue.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536356</id>
	<title>Re:Yes.</title>
	<author>Foofoobar</author>
	<datestamp>1259776620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Next up on easy question theatre... why are you hitting yourself? why are you hitting yourself? why are you hitting yourself?</htmltext>
<tokenext>Next up on easy question theatre... why are you hitting yourself ?
why are you hitting yourself ?
why are you hitting yourself ?</tokentext>
<sentencetext>Next up on easy question theatre... why are you hitting yourself?
why are you hitting yourself?
why are you hitting yourself?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536716</id>
	<title>I thought auditing was the whole point</title>
	<author>Anonymous</author>
	<datestamp>1259778420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Uh, isn't one of the points of open source that you have thousands of eyeballs auditing the code?  What the hell kind of question is this to ask, really?</p></htmltext>
<tokenext>Uh , is n't one of the points of open source that you have thousands of eyeballs auditing the code ?
What the hell kind of question is this to ask , really ?</tokentext>
<sentencetext>Uh, isn't one of the points of open source that you have thousands of eyeballs auditing the code?
What the hell kind of question is this to ask, really?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30545504</id>
	<title>NO! You shouldn't have to audit code</title>
	<author>Lorens</author>
	<datestamp>1261680780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'll go against everyone and say that no, you should not have to audit the code.</p><p>The fact that in order to use a software package safely an expert has to go through every single instruction is an aberration that would be done away with by using a capability operating system like KeyKOS, CapROS, or Coyotos.</p><p>Start OpenOffice or PDF reader or whatever with 1) authorization to interact with its X11 window 2) a means to call out to a trusted system dialog box for reading and saving files from/to the user's space. Nothing else. What do you care if there is malicious code in the application? It is surprisingly simple to extend the concept to everything in the system when you are designing the system.</p><p>Unfortunately KeyKOS is old (1970, PDP-10), the Coyotos lead was hired by Microsoft last spring, and CapROS hasn't enough coders. Maybe sometime in fifty years or so we will have a secure operating system.</p></htmltext>
<tokenext>I 'll go against everyone and say that no , you should not have to audit the code.The fact that in order to use a software package safely an expert has to go through every single instruction is an aberration that would be done away with by using a capability operating system like KeyKOS , CapROS , or Coyotos.Start OpenOffice or PDF reader or whatever with 1 ) authorization to interact with its X11 window 2 ) a means to call out to a trusted system dialog box for reading and saving files from/to the user 's space .
Nothing else .
What do you care if there is malicious code in the application ?
It is surprisingly simple to extend the concept to everything in the system when you are designing the system.Unfortunately KeyKOS is old ( 1970 , PDP-10 ) , the Coyotos lead was hired by Microsoft last spring , and CapROS has n't enough coders .
Maybe sometime in fifty years or so we will have a secure operating system .</tokentext>
<sentencetext>I'll go against everyone and say that no, you should not have to audit the code.The fact that in order to use a software package safely an expert has to go through every single instruction is an aberration that would be done away with by using a capability operating system like KeyKOS, CapROS, or Coyotos.Start OpenOffice or PDF reader or whatever with 1) authorization to interact with its X11 window 2) a means to call out to a trusted system dialog box for reading and saving files from/to the user's space.
Nothing else.
What do you care if there is malicious code in the application?
It is surprisingly simple to extend the concept to everything in the system when you are designing the system.Unfortunately KeyKOS is old (1970, PDP-10), the Coyotos lead was hired by Microsoft last spring, and CapROS hasn't enough coders.
Maybe sometime in fifty years or so we will have a secure operating system.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536698</id>
	<title>Is this a troll?</title>
	<author>Anonymous</author>
	<datestamp>1259778300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Seriously, this is a dumb question and reeks of someone trolling for a reply.</htmltext>
<tokenext>Seriously , this is a dumb question and reeks of someone trolling for a reply .</tokentext>
<sentencetext>Seriously, this is a dumb question and reeks of someone trolling for a reply.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536408</id>
	<title>yes</title>
	<author>Sir\_Lewk</author>
	<datestamp>1259776800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I think the answer reasonably is anywhere between "yes" and "absolutely yes".  For example, auditing should probably be considered very important for software such as slashdotter Fyodor's Nmap.</p><p>You can't trust everyone in the open source community to be completely white-hat all the time...</p></htmltext>
<tokenext>I think the answer reasonably is anywhere between " yes " and " absolutely yes " .
For example , auditing should probably be considered very important for software such as slashdotter Fyodor 's Nmap.You ca n't trust everyone in the open source community to be completely white-hat all the time.. .</tokentext>
<sentencetext>I think the answer reasonably is anywhere between "yes" and "absolutely yes".
For example, auditing should probably be considered very important for software such as slashdotter Fyodor's Nmap.You can't trust everyone in the open source community to be completely white-hat all the time...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536430</id>
	<title>It all depends...</title>
	<author>malkavian</author>
	<datestamp>1259776920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If you have the resources to vet the code without draining resources, then it may be useful for you to do it.  If you use closed source code, you just have to trust that (and maybe black box test it).  At a minimum, test everything to the same standard.<br>If you barely have the resources to cobble together a quick and dirty IT system, then trying to security test open source software may not be the best way to grow your company (unless that's what you're intending to do as your business, in which case, you'll probably need more than the quick and dirty IT system).<br>If you rely on being as secure as possible, and any breach would be the end of you, and you also have loads of spare cash rattling around (*Cough* Financials *cough*), then having an extra possibility of vetting is never something to be sniffed at.  Get a bunch of people to pore over it.  If they find holes, submit patches and patch internally as required.<br>Still, you're only as secure as the bunch you hire to vet the code..  If you give it to 'a person' to vet, and they happen to put in a back door..<br>It really all depends on where you think the biggest risks are, and who you choose to trust. But it's still nice to have the extra chance to at least look if it worries you.</p></htmltext>
<tokenext>If you have the resources to vet the code without draining resources , then it may be useful for you to do it .
If you use closed source code , you just have to trust that ( and maybe black box test it ) .
At a minimum , test everything to the same standard.If you barely have the resources to cobble together a quick and dirty IT system , then trying to security test open source software may not be the best way to grow your company ( unless that 's what you 're intending to do as your business , in which case , you 'll probably need more than the quick and dirty IT system ) .If you rely on being as secure as possible , and any breach would be the end of you , and you also have loads of spare cash rattling around ( * Cough * Financials * cough * ) , then having an extra possibility of vetting is never something to be sniffed at .
Get a bunch of people to pore over it .
If they find holes , submit patches and patch internally as required.Still , you 're only as secure as the bunch you hire to vet the code.. If you give it to 'a person ' to vet , and they happen to put in a back door..It really all depends on where you think the biggest risks are , and who you choose to trust .
But it 's still nice to have the extra chance to at least look if it worries you .</tokentext>
<sentencetext>If you have the resources to vet the code without draining resources, then it may be useful for you to do it.
If you use closed source code, you just have to trust that (and maybe black box test it).
At a minimum, test everything to the same standard.If you barely have the resources to cobble together a quick and dirty IT system, then trying to security test open source software may not be the best way to grow your company (unless that's what you're intending to do as your business, in which case, you'll probably need more than the quick and dirty IT system).If you rely on being as secure as possible, and any breach would be the end of you, and you also have loads of spare cash rattling around (*Cough* Financials *cough*), then having an extra possibility of vetting is never something to be sniffed at.
Get a bunch of people to pore over it.
If they find holes, submit patches and patch internally as required.Still, you're only as secure as the bunch you hire to vet the code..  If you give it to 'a person' to vet, and they happen to put in a back door..It really all depends on where you think the biggest risks are, and who you choose to trust.
But it's still nice to have the extra chance to at least look if it worries you.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536566</id>
	<title>I can see...</title>
	<author>gregarican</author>
	<datestamp>1259777460000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>...the next question that's a posted article [rubs crystal ball]<b>Is Code <i>Testing</i> of Open Source Apps Necessary?</b>[/rubs crystal ball]</p></htmltext>
<tokenext>...the next question that 's a posted article [ rubs crystal ball ] Is Code Testing of Open Source Apps Necessary ?
[ /rubs crystal ball ]</tokentext>
<sentencetext>...the next question that's a posted article [rubs crystal ball]Is Code Testing of Open Source Apps Necessary?
[/rubs crystal ball]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537042</id>
	<title>Of course you should audit them</title>
	<author>Fujisawa Sensei</author>
	<datestamp>1259780340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Companies should audit the code for these apps the same way they audit Linux, Bash, JBOSS and the various other OS applications they deploy. Why should this code be any different.</p></htmltext>
<tokenext>Companies should audit the code for these apps the same way they audit Linux , Bash , JBOSS and the various other OS applications they deploy .
Why should this code be any different .</tokentext>
<sentencetext>Companies should audit the code for these apps the same way they audit Linux, Bash, JBOSS and the various other OS applications they deploy.
Why should this code be any different.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30538012</id>
	<title>Due diligence</title>
	<author>seifried</author>
	<datestamp>1259786340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>"Due diligence". That's all I have to say. Do I audit the code for my personal website? No. Would I audit code for a large commercial site? I should think so.</htmltext>
<tokenext>" Due diligence " .
That 's all I have to say .
Do I audit the code for my personal website ?
No. Would I audit code for a large commercial site ?
I should think so .</tokentext>
<sentencetext>"Due diligence".
That's all I have to say.
Do I audit the code for my personal website?
No. Would I audit code for a large commercial site?
I should think so.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536380</id>
	<title>Re:Yes.</title>
	<author>Thanshin</author>
	<datestamp>1259776680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Are you happy?</p></htmltext>
<tokenext>Are you happy ?</tokentext>
<sentencetext>Are you happy?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536770</id>
	<title>Most code auditing is deeply flawed</title>
	<author>Lewxuy</author>
	<datestamp>1259778780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The problem is that code auditing generally tries to detect bugs. Even in the best case scenario where you can have a complete, manual audit of the entire codebase, you will miss many, many bugs. A much cheaper and in many ways better option is to just take a look at the code. Would you be proud of having written it? Ashamed? If you'd be ashamed of it, I say auditing is useless - there will <em>always</em> be vulnerabilities you've missed. If you're proud of it, an audit might be worth the cost - but, then, you could also spend the money on refactoring the code, use more privilege seperation, add better input validation, more sanity checks...</p><p>In a perfect world, all code would be statically checked, audited manually and by automatic tools, etc. But we're not in a perfect world. Auditing is very often NOT the best thing to spend money on.</p><p>Bear in mind that security is only as strong as it's weakest link. Do you trust the framework you're building on? The libraries you use? The OS? Your cloud provider?</p></htmltext>
<tokenext>The problem is that code auditing generally tries to detect bugs .
Even in the best case scenario where you can have a complete , manual audit of the entire codebase , you will miss many , many bugs .
A much cheaper and in many ways better option is to just take a look at the code .
Would you be proud of having written it ?
Ashamed ? If you 'd be ashamed of it , I say auditing is useless - there will always be vulnerabilities you 've missed .
If you 're proud of it , an audit might be worth the cost - but , then , you could also spend the money on refactoring the code , use more privilege seperation , add better input validation , more sanity checks...In a perfect world , all code would be statically checked , audited manually and by automatic tools , etc .
But we 're not in a perfect world .
Auditing is very often NOT the best thing to spend money on.Bear in mind that security is only as strong as it 's weakest link .
Do you trust the framework you 're building on ?
The libraries you use ?
The OS ?
Your cloud provider ?</tokentext>
<sentencetext>The problem is that code auditing generally tries to detect bugs.
Even in the best case scenario where you can have a complete, manual audit of the entire codebase, you will miss many, many bugs.
A much cheaper and in many ways better option is to just take a look at the code.
Would you be proud of having written it?
Ashamed? If you'd be ashamed of it, I say auditing is useless - there will always be vulnerabilities you've missed.
If you're proud of it, an audit might be worth the cost - but, then, you could also spend the money on refactoring the code, use more privilege seperation, add better input validation, more sanity checks...In a perfect world, all code would be statically checked, audited manually and by automatic tools, etc.
But we're not in a perfect world.
Auditing is very often NOT the best thing to spend money on.Bear in mind that security is only as strong as it's weakest link.
Do you trust the framework you're building on?
The libraries you use?
The OS?
Your cloud provider?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537538</id>
	<title>Re:Flip the question.</title>
	<author>Kartoffel</author>
	<datestamp>1259783220000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>IVV under NDA.  Independed validation and verification under non-disclosure agreement.</p><p>That is, if anyone in private industry bothers to buy source and have it independently audited.</p></htmltext>
<tokenext>IVV under NDA .
Independed validation and verification under non-disclosure agreement.That is , if anyone in private industry bothers to buy source and have it independently audited .</tokentext>
<sentencetext>IVV under NDA.
Independed validation and verification under non-disclosure agreement.That is, if anyone in private industry bothers to buy source and have it independently audited.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536550</id>
	<title>security tests</title>
	<author>viralMeme</author>
	<datestamp>1259777340000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; companies may be wondering if they should conduct security tests of their customized open source software before deployment<nobr> <wbr></nobr>..</p><p>If they haven't already conducted penetration tests before deployment and implemented a secure irrevocable auditing system, then they shouldn't even be in the business<nobr> <wbr></nobr>..</p></htmltext>
<tokenext>&gt; companies may be wondering if they should conduct security tests of their customized open source software before deployment ..If they have n't already conducted penetration tests before deployment and implemented a secure irrevocable auditing system , then they should n't even be in the business . .</tokentext>
<sentencetext>&gt; companies may be wondering if they should conduct security tests of their customized open source software before deployment ..If they haven't already conducted penetration tests before deployment and implemented a secure irrevocable auditing system, then they shouldn't even be in the business ..</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537518</id>
	<title>Re:Yes.</title>
	<author>Anonymous</author>
	<datestamp>1259783160000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>Code review of **every line** is best practice.  That's independent, desk check style code reviews.  The reviewer needs to feel they could put their name on the code, or start writing action.  Any questions need to be addressed prior to the sit-down review with an uninterested moderator. Any burning questions that were not answered to everyone's satisfaction, need to be researched until there aren't any more "I don't understand" that section of code.</p></htmltext>
<tokenext>Code review of * * every line * * is best practice .
That 's independent , desk check style code reviews .
The reviewer needs to feel they could put their name on the code , or start writing action .
Any questions need to be addressed prior to the sit-down review with an uninterested moderator .
Any burning questions that were not answered to everyone 's satisfaction , need to be researched until there are n't any more " I do n't understand " that section of code .</tokentext>
<sentencetext>Code review of **every line** is best practice.
That's independent, desk check style code reviews.
The reviewer needs to feel they could put their name on the code, or start writing action.
Any questions need to be addressed prior to the sit-down review with an uninterested moderator.
Any burning questions that were not answered to everyone's satisfaction, need to be researched until there aren't any more "I don't understand" that section of code.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537176</id>
	<title>Oh, for crying out loud.</title>
	<author>jthill</author>
	<datestamp>1259781120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Somebody said "it depends" with a certain level of sarcasm above, but I'm going to say it in all seriousness, and echo the "why was this posted" question, also coming from a different angle.
</p><p>The headline says "open source apps" without qualification, so I'll address all open source apps first
</p><p>The criteria for wanting an audit are the same, and not all software requires an in-house audit for various and I would have said obvious reasons.
</p><p>But there are some observations that apply to open source that do not apply to closed source:
</p><p>Every single proprietary-software vendor on the planet has a <i>huge</i> incentive to find major flaws in every competing product, but only with open source do they have the opportunity.
</p><p>More specifically addressed to open-source security software, but still widely relevant:
</p><p>The open-source security components are available for any use (BSD) or any open-source use (GPL).  They get re-used.  OpenSSL is surely among the most intensively-audited software components on the planet, not least because banks use it to protect financial transactions of all sizes.  And OpenSSL is everywhere.
</p><p>That leaves the following summary of my answer:
</p><ol> <li>For applications where simply trusting that any broadly-used software is secure enough, there's no substantial difference in the considerations, and the answer is virtually always "no".</li>
<li>For applications that have major security implications &mdash; say, whole-disk encryption or multi-user system security or communications security  &mdash; open source has a decided advantage because all of the many interested parties can audit at any time, and all have various motivations to publicize negative results.  You might still want to do it anyway, but you'd want to do it for both kinds, because</li>
<li>And where human life and similarly vital considerations are involved, you are going to be doing one no matter what.</li>
</ol><p>And now for something completely different:<nobr> <wbr></nobr>/. editors, don't you know that sometimes it actually matters?
</p><p>This story scarcely have been intentionally constructed to more reliably produce a sales pitch for closed-source companies: "Here's a world-famous bastion of open-source advocates &mdash; ask any of your geeks, they'll know about slashdot &mdash; and look at this, almost everyone there says you have to audit open source.  Do you have the resources to do that? No? That's what we thought, so we can dismiss that idea.  Now, let's talk."
</p><p>And that's precisely because the headline doesn't even mention the "security" part. It's "Open Source Apps". All of them. Even here, not reading the summary is rampant.  How closely do you think a busy manager who starts out suspicious of the whole idea is going to examine this?
</p><p>Bad money drives out good.</p></htmltext>
<tokenext>Somebody said " it depends " with a certain level of sarcasm above , but I 'm going to say it in all seriousness , and echo the " why was this posted " question , also coming from a different angle .
The headline says " open source apps " without qualification , so I 'll address all open source apps first The criteria for wanting an audit are the same , and not all software requires an in-house audit for various and I would have said obvious reasons .
But there are some observations that apply to open source that do not apply to closed source : Every single proprietary-software vendor on the planet has a huge incentive to find major flaws in every competing product , but only with open source do they have the opportunity .
More specifically addressed to open-source security software , but still widely relevant : The open-source security components are available for any use ( BSD ) or any open-source use ( GPL ) .
They get re-used .
OpenSSL is surely among the most intensively-audited software components on the planet , not least because banks use it to protect financial transactions of all sizes .
And OpenSSL is everywhere .
That leaves the following summary of my answer : For applications where simply trusting that any broadly-used software is secure enough , there 's no substantial difference in the considerations , and the answer is virtually always " no " .
For applications that have major security implications    say , whole-disk encryption or multi-user system security or communications security    open source has a decided advantage because all of the many interested parties can audit at any time , and all have various motivations to publicize negative results .
You might still want to do it anyway , but you 'd want to do it for both kinds , because And where human life and similarly vital considerations are involved , you are going to be doing one no matter what .
And now for something completely different : / .
editors , do n't you know that sometimes it actually matters ?
This story scarcely have been intentionally constructed to more reliably produce a sales pitch for closed-source companies : " Here 's a world-famous bastion of open-source advocates    ask any of your geeks , they 'll know about slashdot    and look at this , almost everyone there says you have to audit open source .
Do you have the resources to do that ?
No ? That 's what we thought , so we can dismiss that idea .
Now , let 's talk .
" And that 's precisely because the headline does n't even mention the " security " part .
It 's " Open Source Apps " .
All of them .
Even here , not reading the summary is rampant .
How closely do you think a busy manager who starts out suspicious of the whole idea is going to examine this ?
Bad money drives out good .</tokentext>
<sentencetext>Somebody said "it depends" with a certain level of sarcasm above, but I'm going to say it in all seriousness, and echo the "why was this posted" question, also coming from a different angle.
The headline says "open source apps" without qualification, so I'll address all open source apps first
The criteria for wanting an audit are the same, and not all software requires an in-house audit for various and I would have said obvious reasons.
But there are some observations that apply to open source that do not apply to closed source:
Every single proprietary-software vendor on the planet has a huge incentive to find major flaws in every competing product, but only with open source do they have the opportunity.
More specifically addressed to open-source security software, but still widely relevant:
The open-source security components are available for any use (BSD) or any open-source use (GPL).
They get re-used.
OpenSSL is surely among the most intensively-audited software components on the planet, not least because banks use it to protect financial transactions of all sizes.
And OpenSSL is everywhere.
That leaves the following summary of my answer:
 For applications where simply trusting that any broadly-used software is secure enough, there's no substantial difference in the considerations, and the answer is virtually always "no".
For applications that have major security implications — say, whole-disk encryption or multi-user system security or communications security  — open source has a decided advantage because all of the many interested parties can audit at any time, and all have various motivations to publicize negative results.
You might still want to do it anyway, but you'd want to do it for both kinds, because
And where human life and similarly vital considerations are involved, you are going to be doing one no matter what.
And now for something completely different: /.
editors, don't you know that sometimes it actually matters?
This story scarcely have been intentionally constructed to more reliably produce a sales pitch for closed-source companies: "Here's a world-famous bastion of open-source advocates — ask any of your geeks, they'll know about slashdot — and look at this, almost everyone there says you have to audit open source.
Do you have the resources to do that?
No? That's what we thought, so we can dismiss that idea.
Now, let's talk.
"
And that's precisely because the headline doesn't even mention the "security" part.
It's "Open Source Apps".
All of them.
Even here, not reading the summary is rampant.
How closely do you think a busy manager who starts out suspicious of the whole idea is going to examine this?
Bad money drives out good.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537234</id>
	<title>Re:I thought auditing was the whole point</title>
	<author>Anonymous</author>
	<datestamp>1259781360000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p>Uh, isn't one of the points of open source that you have thousands of eyeballs auditing the code?  </p></div><p>This should be "thousands of eyeballs <b> <i>potentially</i></b>  auditing the code". Outside of the kernel there ain't much auditing going on.</p></div>
	</htmltext>
<tokenext>Uh , is n't one of the points of open source that you have thousands of eyeballs auditing the code ?
This should be " thousands of eyeballs potentially auditing the code " .
Outside of the kernel there ai n't much auditing going on .</tokentext>
<sentencetext>Uh, isn't one of the points of open source that you have thousands of eyeballs auditing the code?
This should be "thousands of eyeballs  potentially  auditing the code".
Outside of the kernel there ain't much auditing going on.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536716</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537210</id>
	<title>Audit the FOSS projecta, not the code</title>
	<author>cenc</author>
	<datestamp>1259781240000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Open source code development by definition is a sort of "self-auditing" process. That is all good. The bigger problem that is unaddressed in the the FOSS community at large that I see is when the projects that run them fall apart. For example, in this case is the Sun going to set on Sun is still not known. What about Mysql?</p><p>More commonly it is the problem of rag tag bands of volunteers (that are increasingly novice these days), where a couple major players  move the project along and if something happens to them the project goes off the rails. The rather high profile example of this was CentOS fiasco earlier this year.</p><p>I know everyone is going to come back and say things like, "if you don't like it, fork it". That is a nice sentiment, but much harder to do in practice. Often it is like saying if you don't like the service you get at Wall Mart start your own department store chain, bank, pharmacy, or whatever. Not something even most larger companies can do, let alone end private users.</p><p>We need a system for auditing and reviewing open source projects for their viability and overall health so users (individuals, companies, and other projects that depend on them) can make real decisions about using what they produce. Right now it is more of an art than a science to determine if a project is going to live. I am not saying limit open source creativity or stop small projects, but provide transparency as to the health of the projects. We can see the structure of the code, we should be able to see the structure of community that builds and maintains it.</p></htmltext>
<tokenext>Open source code development by definition is a sort of " self-auditing " process .
That is all good .
The bigger problem that is unaddressed in the the FOSS community at large that I see is when the projects that run them fall apart .
For example , in this case is the Sun going to set on Sun is still not known .
What about Mysql ? More commonly it is the problem of rag tag bands of volunteers ( that are increasingly novice these days ) , where a couple major players move the project along and if something happens to them the project goes off the rails .
The rather high profile example of this was CentOS fiasco earlier this year.I know everyone is going to come back and say things like , " if you do n't like it , fork it " .
That is a nice sentiment , but much harder to do in practice .
Often it is like saying if you do n't like the service you get at Wall Mart start your own department store chain , bank , pharmacy , or whatever .
Not something even most larger companies can do , let alone end private users.We need a system for auditing and reviewing open source projects for their viability and overall health so users ( individuals , companies , and other projects that depend on them ) can make real decisions about using what they produce .
Right now it is more of an art than a science to determine if a project is going to live .
I am not saying limit open source creativity or stop small projects , but provide transparency as to the health of the projects .
We can see the structure of the code , we should be able to see the structure of community that builds and maintains it .</tokentext>
<sentencetext>Open source code development by definition is a sort of "self-auditing" process.
That is all good.
The bigger problem that is unaddressed in the the FOSS community at large that I see is when the projects that run them fall apart.
For example, in this case is the Sun going to set on Sun is still not known.
What about Mysql?More commonly it is the problem of rag tag bands of volunteers (that are increasingly novice these days), where a couple major players  move the project along and if something happens to them the project goes off the rails.
The rather high profile example of this was CentOS fiasco earlier this year.I know everyone is going to come back and say things like, "if you don't like it, fork it".
That is a nice sentiment, but much harder to do in practice.
Often it is like saying if you don't like the service you get at Wall Mart start your own department store chain, bank, pharmacy, or whatever.
Not something even most larger companies can do, let alone end private users.We need a system for auditing and reviewing open source projects for their viability and overall health so users (individuals, companies, and other projects that depend on them) can make real decisions about using what they produce.
Right now it is more of an art than a science to determine if a project is going to live.
I am not saying limit open source creativity or stop small projects, but provide transparency as to the health of the projects.
We can see the structure of the code, we should be able to see the structure of community that builds and maintains it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536400</id>
	<title>I hate modern Project Managers</title>
	<author>Anonymous</author>
	<datestamp>1259776740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The fact that this question has to even be asked, tells you a lot about how applications are developed.</p><p>The US has dedicated itself to a race to the bottom in quality and price.  Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.</p></htmltext>
<tokenext>The fact that this question has to even be asked , tells you a lot about how applications are developed.The US has dedicated itself to a race to the bottom in quality and price .
Testing is just one of those things companies throw out because it is an expense with no obvious benefits , to those who are not vested in the long term for their products .</tokentext>
<sentencetext>The fact that this question has to even be asked, tells you a lot about how applications are developed.The US has dedicated itself to a race to the bottom in quality and price.
Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536792</id>
	<title>Sun Microsystems?  Oh, you mean ORACLE!</title>
	<author>mmell</author>
	<datestamp>1259778960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I'm sure they're just opensourcing the bits of Sun's portfolio that they didn't want - sort of a cheap and easy way to divest themselves of responsibility for code and products they didn't want when they took over Sun.<p>
Rest assured, any bits they feel will help them make Oracle an even more ubiquitous player in the database niche of IT will <i>not</i> see the light of day any time soon.  Frankly, I'm surprised they haven't killed MySQL yet (although they may have plans for it; and the fact that it was previously open-source may make it impossible for them to truly kill it).</p><p>
Anybody here trust Oracle?  I mean, I've worked with their products before, and while I don't want to say anything denigrating or derogatory about them here I'm just glad that's <i>worked with before</i> (past tense) and not <i>work with</i> (present tense).</p></htmltext>
<tokenext>I 'm sure they 're just opensourcing the bits of Sun 's portfolio that they did n't want - sort of a cheap and easy way to divest themselves of responsibility for code and products they did n't want when they took over Sun .
Rest assured , any bits they feel will help them make Oracle an even more ubiquitous player in the database niche of IT will not see the light of day any time soon .
Frankly , I 'm surprised they have n't killed MySQL yet ( although they may have plans for it ; and the fact that it was previously open-source may make it impossible for them to truly kill it ) .
Anybody here trust Oracle ?
I mean , I 've worked with their products before , and while I do n't want to say anything denigrating or derogatory about them here I 'm just glad that 's worked with before ( past tense ) and not work with ( present tense ) .</tokentext>
<sentencetext>I'm sure they're just opensourcing the bits of Sun's portfolio that they didn't want - sort of a cheap and easy way to divest themselves of responsibility for code and products they didn't want when they took over Sun.
Rest assured, any bits they feel will help them make Oracle an even more ubiquitous player in the database niche of IT will not see the light of day any time soon.
Frankly, I'm surprised they haven't killed MySQL yet (although they may have plans for it; and the fact that it was previously open-source may make it impossible for them to truly kill it).
Anybody here trust Oracle?
I mean, I've worked with their products before, and while I don't want to say anything denigrating or derogatory about them here I'm just glad that's worked with before (past tense) and not work with (present tense).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537382</id>
	<title>The answer is clear</title>
	<author>El Nigromante</author>
	<datestamp>1259782380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Not necessary if the application is not critical.</p><p>CERN's LHC and my bank's software system are typical examples of critical applications. My neighbour's wifi router is not.</p></htmltext>
<tokenext>Not necessary if the application is not critical.CERN 's LHC and my bank 's software system are typical examples of critical applications .
My neighbour 's wifi router is not .</tokentext>
<sentencetext>Not necessary if the application is not critical.CERN's LHC and my bank's software system are typical examples of critical applications.
My neighbour's wifi router is not.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536572</id>
	<title>Of course it is!</title>
	<author>shking</author>
	<datestamp>1259777520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The consequences of fixing a problem while it's being exploited are usually much more severe than not having the problem in the first place.  <a href="http://www.openbsd.org/security.html" title="openbsd.org">Proactive security</a> [openbsd.org] is the way to go. That's why BUGTRAQ is peppered with statements like, "This problem was fixed in OpenBSD about 6 months ago"</htmltext>
<tokenext>The consequences of fixing a problem while it 's being exploited are usually much more severe than not having the problem in the first place .
Proactive security [ openbsd.org ] is the way to go .
That 's why BUGTRAQ is peppered with statements like , " This problem was fixed in OpenBSD about 6 months ago "</tokentext>
<sentencetext>The consequences of fixing a problem while it's being exploited are usually much more severe than not having the problem in the first place.
Proactive security [openbsd.org] is the way to go.
That's why BUGTRAQ is peppered with statements like, "This problem was fixed in OpenBSD about 6 months ago"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536856</id>
	<title>Re:I hate modern Project Managers</title>
	<author>flajann</author>
	<datestamp>1259779440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The fact that this question has to even be asked, tells you a lot about how applications are developed.</p><p>The US has dedicated itself to a race to the bottom in quality and price.  Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.</p></div><p>There is so much pressure from the business side to rush to market that corners are inevitably cut, and the first place that usually gets cut is testing.</p><p>

The realities of today's high-tech business world almost demands that you release crappy code NOW just to get your foot in the door of the market share. You can always release upgrades after the poor fools have bought into your software.</p><p>

In an ideal world, everything should receive security audits before release. If you are Big Company releasing to Open Source, you may not want to spend the extra $$$$ on security audits unless you see a clear ROI for you. Besides, you should be able to trust your own developers, anyway. And if you can't, releasing your stuff to OSS or FOSS is the very least of your concerns!!!
</p><p>

As for encryption-specific security, that requires a special level of auditing, and your reputation is clearly on the line if others suffer due to a flaw in your encryption/protocol schemes. In that case, AUDIT LIKE HELL....</p></div>
	</htmltext>
<tokenext>The fact that this question has to even be asked , tells you a lot about how applications are developed.The US has dedicated itself to a race to the bottom in quality and price .
Testing is just one of those things companies throw out because it is an expense with no obvious benefits , to those who are not vested in the long term for their products.There is so much pressure from the business side to rush to market that corners are inevitably cut , and the first place that usually gets cut is testing .
The realities of today 's high-tech business world almost demands that you release crappy code NOW just to get your foot in the door of the market share .
You can always release upgrades after the poor fools have bought into your software .
In an ideal world , everything should receive security audits before release .
If you are Big Company releasing to Open Source , you may not want to spend the extra $ $ $ $ on security audits unless you see a clear ROI for you .
Besides , you should be able to trust your own developers , anyway .
And if you ca n't , releasing your stuff to OSS or FOSS is the very least of your concerns ! ! !
As for encryption-specific security , that requires a special level of auditing , and your reputation is clearly on the line if others suffer due to a flaw in your encryption/protocol schemes .
In that case , AUDIT LIKE HELL... .</tokentext>
<sentencetext>The fact that this question has to even be asked, tells you a lot about how applications are developed.The US has dedicated itself to a race to the bottom in quality and price.
Testing is just one of those things companies throw out because it is an expense with no obvious benefits, to those who are not vested in the long term for their products.There is so much pressure from the business side to rush to market that corners are inevitably cut, and the first place that usually gets cut is testing.
The realities of today's high-tech business world almost demands that you release crappy code NOW just to get your foot in the door of the market share.
You can always release upgrades after the poor fools have bought into your software.
In an ideal world, everything should receive security audits before release.
If you are Big Company releasing to Open Source, you may not want to spend the extra $$$$ on security audits unless you see a clear ROI for you.
Besides, you should be able to trust your own developers, anyway.
And if you can't, releasing your stuff to OSS or FOSS is the very least of your concerns!!!
As for encryption-specific security, that requires a special level of auditing, and your reputation is clearly on the line if others suffer due to a flaw in your encryption/protocol schemes.
In that case, AUDIT LIKE HELL....
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536400</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536404</id>
	<title>It all depends..</title>
	<author>natehoy</author>
	<datestamp>1259776800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If you want publicity in any way you can get it, feel free to skip testing.  Data breaches make good news.  It may not be the kind of publicity you want.</p><p>Seriously, it depends on your level of trust and you level of need for security.  Though, if you are using a supposedly secure transport, I imagine your need for security is relatively high.  Besides, you are putting your trust in an external company, which means if that company gets breached your data is right there.  If you don't encrypt it with a second layer, anyone who gains access to your VPN provider also owns you.  You have just extended your circle of trust to include all of the employees of your vendor, a whole bunch of people you will never meet.  If they have cleartext access to your data, you have a problem.</p><p>Security is done in layers.  If someone breaches one layer, it's best if they get stopped by another.  The more layers (within practical limits) the better.</p><p>To put it another way, as wed128 so succinctly put it above, "Yes."  Though I'd add "HELL, YES!" about 100 times after it.</p></htmltext>
<tokenext>If you want publicity in any way you can get it , feel free to skip testing .
Data breaches make good news .
It may not be the kind of publicity you want.Seriously , it depends on your level of trust and you level of need for security .
Though , if you are using a supposedly secure transport , I imagine your need for security is relatively high .
Besides , you are putting your trust in an external company , which means if that company gets breached your data is right there .
If you do n't encrypt it with a second layer , anyone who gains access to your VPN provider also owns you .
You have just extended your circle of trust to include all of the employees of your vendor , a whole bunch of people you will never meet .
If they have cleartext access to your data , you have a problem.Security is done in layers .
If someone breaches one layer , it 's best if they get stopped by another .
The more layers ( within practical limits ) the better.To put it another way , as wed128 so succinctly put it above , " Yes .
" Though I 'd add " HELL , YES !
" about 100 times after it .</tokentext>
<sentencetext>If you want publicity in any way you can get it, feel free to skip testing.
Data breaches make good news.
It may not be the kind of publicity you want.Seriously, it depends on your level of trust and you level of need for security.
Though, if you are using a supposedly secure transport, I imagine your need for security is relatively high.
Besides, you are putting your trust in an external company, which means if that company gets breached your data is right there.
If you don't encrypt it with a second layer, anyone who gains access to your VPN provider also owns you.
You have just extended your circle of trust to include all of the employees of your vendor, a whole bunch of people you will never meet.
If they have cleartext access to your data, you have a problem.Security is done in layers.
If someone breaches one layer, it's best if they get stopped by another.
The more layers (within practical limits) the better.To put it another way, as wed128 so succinctly put it above, "Yes.
"  Though I'd add "HELL, YES!
" about 100 times after it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536248</id>
	<title>OpenBSD</title>
	<author>Anonymous</author>
	<datestamp>1259776020000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>OpenBSD does code audits. All security-sensitive applications should be, if not by the developers, by the people deploying them, if they have the resources.</p></htmltext>
<tokenext>OpenBSD does code audits .
All security-sensitive applications should be , if not by the developers , by the people deploying them , if they have the resources .</tokentext>
<sentencetext>OpenBSD does code audits.
All security-sensitive applications should be, if not by the developers, by the people deploying them, if they have the resources.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270</id>
	<title>Flip the question.</title>
	<author>tacarat</author>
	<datestamp>1259776200000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>How are they auditing the code of the closed source apps they're using?  If there are steps in place, use those as a minimum. If there aren't, then how's the blind faith of using those programs different than what's needed for open source?</htmltext>
<tokenext>How are they auditing the code of the closed source apps they 're using ?
If there are steps in place , use those as a minimum .
If there are n't , then how 's the blind faith of using those programs different than what 's needed for open source ?</tokentext>
<sentencetext>How are they auditing the code of the closed source apps they're using?
If there are steps in place, use those as a minimum.
If there aren't, then how's the blind faith of using those programs different than what's needed for open source?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30540026</id>
	<title>Re:I thought auditing was the whole point</title>
	<author>Anonymous</author>
	<datestamp>1259756520000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><i>how many people are actually eyeballing the code?</i></p><p>At the risk of stating the obvious, the fact that anyone CAN view the code is just a <i>little</i> more important than the exact number of eyeballs.</p></htmltext>
<tokenext>how many people are actually eyeballing the code ? At the risk of stating the obvious , the fact that anyone CAN view the code is just a little more important than the exact number of eyeballs .</tokentext>
<sentencetext>how many people are actually eyeballing the code?At the risk of stating the obvious, the fact that anyone CAN view the code is just a little more important than the exact number of eyeballs.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537354</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537138</id>
	<title>Re:I hate modern Project Managers</title>
	<author>Locke2005</author>
	<datestamp>1259780820000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Why should I pay people to test my products when I can get my customers to pay me for the privilege of testing my products? (No, I don't work for Microsoft -- I'm just playing Devil's Advocate here.)</htmltext>
<tokenext>Why should I pay people to test my products when I can get my customers to pay me for the privilege of testing my products ?
( No , I do n't work for Microsoft -- I 'm just playing Devil 's Advocate here .
)</tokentext>
<sentencetext>Why should I pay people to test my products when I can get my customers to pay me for the privilege of testing my products?
(No, I don't work for Microsoft -- I'm just playing Devil's Advocate here.
)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536400</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536336</id>
	<title>At risk of sounding redundent, yes.</title>
	<author>plopez</author>
	<datestamp>1259776500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>You *think* the VPN and encryption software is secure. But flaws have been found in the past. The the basic underlying strategy of security is a multi-layered defense.</p></htmltext>
<tokenext>You * think * the VPN and encryption software is secure .
But flaws have been found in the past .
The the basic underlying strategy of security is a multi-layered defense .</tokentext>
<sentencetext>You *think* the VPN and encryption software is secure.
But flaws have been found in the past.
The the basic underlying strategy of security is a multi-layered defense.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537634</id>
	<title>Sure, but make it voluntary</title>
	<author>cryfreedomlove</author>
	<datestamp>1259783940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>If there is a good reason to do this then companies will do it because it serves their own self interest.</htmltext>
<tokenext>If there is a good reason to do this then companies will do it because it serves their own self interest .</tokentext>
<sentencetext>If there is a good reason to do this then companies will do it because it serves their own self interest.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536326</id>
	<title>It's not even really a question</title>
	<author>BadAnalogyGuy</author>
	<datestamp>1259776440000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>The answer is Yes. When you run software, you are running it under 1 of the following 3 assumptions:</p><p>1. You implicitly trust the vendor<br>2. You have tested it yourself and trust your tests<br>3. You are oblivious (the vast majority of users are)</p><p>What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori. OSS isn't magically secure because it is open. It still needs testing and validation if you intend to run it in any serious corporate environment.</p><p>To simply accept a software package without assuming it is riddled with bugs and security vulnerabilities is foolish. No matter if it is a proprietary software package or an Open Source community project, any sane CIO will want some sort of evidence that the product will not end up losing them money and customer trust due to security vunerabilities.</p></htmltext>
<tokenext>The answer is Yes .
When you run software , you are running it under 1 of the following 3 assumptions : 1 .
You implicitly trust the vendor2 .
You have tested it yourself and trust your tests3 .
You are oblivious ( the vast majority of users are ) What 's more , since Open Source software lacks any single person you could possibly sue in case things go terribly wrong , it makes sense to mistrust it a priori .
OSS is n't magically secure because it is open .
It still needs testing and validation if you intend to run it in any serious corporate environment.To simply accept a software package without assuming it is riddled with bugs and security vulnerabilities is foolish .
No matter if it is a proprietary software package or an Open Source community project , any sane CIO will want some sort of evidence that the product will not end up losing them money and customer trust due to security vunerabilities .</tokentext>
<sentencetext>The answer is Yes.
When you run software, you are running it under 1 of the following 3 assumptions:1.
You implicitly trust the vendor2.
You have tested it yourself and trust your tests3.
You are oblivious (the vast majority of users are)What's more, since Open Source software lacks any single person you could possibly sue in case things go terribly wrong, it makes sense to mistrust it a priori.
OSS isn't magically secure because it is open.
It still needs testing and validation if you intend to run it in any serious corporate environment.To simply accept a software package without assuming it is riddled with bugs and security vulnerabilities is foolish.
No matter if it is a proprietary software package or an Open Source community project, any sane CIO will want some sort of evidence that the product will not end up losing them money and customer trust due to security vunerabilities.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536442
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536754
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30539128
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536326
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536380
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30540026
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537354
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536716
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537538
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537234
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536716
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537138
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536400
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536856
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536400
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536356
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537518
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_12_23_157215_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536708
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537210
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536326
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30539128
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536512
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536400
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537138
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536856
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536246
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536380
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537518
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536356
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537382
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536270
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537538
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536442
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536754
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536708
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536716
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537234
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537354
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30540026
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30537634
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_12_23_157215.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_12_23_157215.30536698
</commentlist>
</conversation>
