[kwlug-disc] given enough eyeballs, all bugs are shallow?
john at netdirect.ca
john at netdirect.ca
Fri Jan 8 13:37:17 EST 2010
kwlug-disc-bounces at kwlug.org wrote on 01/08/2010 01:00:12 PM:
> From: Lori Paniak <ldpaniak at fourpisolutions.com>
> I don't believe that the culture of FOSS makes the software more secure.
> In fact, there are examples of how it makes software more insecure. For
> example, the libssl fiasco in Debian/ubuntu of two years ago. There,
> the community (Debian package maintainer) decided to add value to the
> code by eliminating all the "unnecessary" files from the code. Of
> course, along with them went the entropy to make decent keys. It took
> more than a year for the community to notice that SSL keys produced by
> the code were defective and do something about it.
You cannot possibly mean that misusing a library is not possible in closed
> On the upside, this example showed how the community could quickly act
> to remove the defective code from service and repair the damage.
This is one of the key facets that I think makes FOSS more secure.
> When presenting the advantages of open source, we ought to stick to
> demonstrable facts and avoid the psuedo-science of software sociology.
> FOSS is made by people, just like code from the other guys and gals.
I find it useful to talk about motivations and capabilities. Demonstrable
facts tend to be statistics which are point-in-time measurements. The
former has more longevity.
> Like all software, it is broken and/or will eventually need modification
> if it is good enough to be used. The advantage of FOSS is that you are
> guaranteed the permission and background code make these
> repairs/changes. Try getting critical security patches for XP in 5
I don't think we have to wait that long to see Microsoft software that is
in use that doesn't have patch support.
One might also contend that I can't find software patches for Red Hat 8.0.
Despite being able patch the code myself, I'm just not tuned into the
security community well enough
> As for 'lots of eyes make for small bugs' chestnut, the counter-argument
> would be that in desktop-land Linux has 1% of the eyeballs, OSX, 9% and
> Microsoft 90%. Hence, the Apple desktop is 9x more secure than Linux
> and Windows 90x. If you disagree, then you also disagree with the
> original claim. The issue of software security is too complicated to
> summarize in a single phrase.
The counter-counter argument is that those OSX and MS eyeballs you refer
to don't have complete vision. They essentially testers because they can't
see the code.
How many programmers, researchers, students and other concerned people are
reading FOSS code? How many are reading closed code?
I talked with Rob Day recently and realised that he fits one of my
theorized anecdotes about FOSS.
I used to use a theoretical case to explain this. Imagine a programmer
that has a pet peeve about something. It could be wasted memory space,
logic inefficiency, or some subtle or far-fetched vulnerability. He
decides to scour a FOSS package looking to find or eradicate the issue and
comes up with modest space savings. Would a corporate body have done this?
If the perceived cost-benefit was too small, or just smaller than other
options, then they would not do it. Would a community do this? Yes of
course because one individual took initiative.
Rob Day exemplified this because he had a peeve and knew how to deal with
it. He saw a problem with the kernel source code. The config variables
used in determining what features are compiled into the kernel had lots of
errors. This was a problem that bothered Rob, but didn't bother other
kernel programmers enough to do something about it. Rob did something
about it. He created a relatively simple program that scanned for typos,
uploaded the list to a web site and notified module maintainers of the
Will all the kernel programmers out there, Rob was the first to come up
with that idea. Imagine tens of thousands of programmers contributing to
the kernel over the years and only one that created a solution to this
problem. How many people have worked on the Windows kernel? probably
hundreds, maybe a thousand. How many good ideas are not implemented?
John Van Ostrand
Net Direct Inc.
564 Weber St. N. Unit 12
Waterloo, ON N2L 5C6
john at netdirect.ca
Linux Solutions / IBM Hardware
More information about the kwlug-disc