[hannob]

> One is to add features / layers to enhance security, such as with GRSecurity. The other is to ensure correctness, so that there are no bugs to exploit.

There is no principle reason why these two philosophies - fixing bugs and explit mitigations - collide. You can strive for both - and I'd argue that that's probably what most infosec people would support. OpenBSD also does quite a bit of exploit mitigation, so they're not clearly on a "bug fixing" philosophy either.

I know Spender has a pretty extreme position in saying that fixing bugs is almost irrelevant. But I'd say he's an extreme voice in that debate.