[kwlug-disc] given enough eyeballs, all bugs are shallow?

Lori Paniak ldpaniak at fourpisolutions.com
Fri Jan 8 13:00:12 EST 2010


On Fri, 2010-01-08 at 12:01 -0500, unsolicited wrote:
> To summarize the earlier arguments, it's not that FOSS is more secure, 
> it is that the culture and environment in which or by which it is 
> produced that makes it more secure. And, substantially, this occurs 
> merely due to code (peer) review, not because it's FOSS. Part of 
> Chris' point is that code review, wherever used, proprietary or not, 
> is just as valuable.
> 


I don't believe that the culture of FOSS makes the software more secure.
In fact, there are examples of how it makes software more insecure.  For
example, the libssl fiasco in Debian/ubuntu of two years ago.  There,
the community (Debian package maintainer) decided to add value to the
code by eliminating all the "unnecessary" files from the code.  Of
course, along with them went the entropy to make decent keys.  It took
more than a year for the community to notice that SSL keys produced by
the code were defective and do something about it.

On the upside, this example showed how the community could quickly act
to remove the defective code from service and repair the damage.

When presenting the advantages of open source, we ought to stick to
demonstrable facts and avoid the psuedo-science of software sociology.
FOSS is made by people, just like code from the other guys and gals.
Like all software, it is broken and/or will eventually need modification
if it is good enough to be used.  The advantage of FOSS is that you are
guaranteed the permission and background code make these
repairs/changes.  Try getting critical security patches for XP in 5
years. 

As for 'lots of eyes make for small bugs' chestnut, the counter-argument
would be that in desktop-land Linux has 1% of the eyeballs, OSX, 9% and
Microsoft 90%.  Hence, the Apple desktop is 9x more secure than Linux
and Windows 90x.  If you disagree, then you also disagree with the
original claim.  The issue of software security is too complicated to
summarize in a single phrase.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20100108/2bc7d7be/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list