[kwlug-disc] given enough eyeballs, all bugs are shallow?

john at netdirect.ca john at netdirect.ca
Fri Jan 8 13:37:17 EST 2010 

kwlug-disc-bounces at kwlug.org wrote on 01/08/2010 01:00:12 PM:
> From: Lori Paniak <ldpaniak at fourpisolutions.com>
> 
> I don't believe that the culture of FOSS makes the software more secure.
> In fact, there are examples of how it makes software more insecure.  For
> example, the libssl fiasco in Debian/ubuntu of two years ago.  There,
> the community (Debian package maintainer) decided to add value to the
> code by eliminating all the "unnecessary" files from the code.  Of
> course, along with them went the entropy to make decent keys.  It took
> more than a year for the community to notice that SSL keys produced by
> the code were defective and do something about it.

You cannot possibly mean that misusing a library is not possible in closed 
source world.
 
> On the upside, this example showed how the community could quickly act
> to remove the defective code from service and repair the damage.

This is one of the key facets that I think makes FOSS more secure.
 
> When presenting the advantages of open source, we ought to stick to
> demonstrable facts and avoid the psuedo-science of software sociology.
> FOSS is made by people, just like code from the other guys and gals.

I find it useful to talk about motivations and capabilities. Demonstrable 
facts tend to be statistics which are point-in-time measurements. The 
former has more longevity.

> Like all software, it is broken and/or will eventually need modification
> if it is good enough to be used.  The advantage of FOSS is that you are
> guaranteed the permission and background code make these
> repairs/changes.  Try getting critical security patches for XP in 5
> years. 

I don't think we have to wait that long to see Microsoft software that is 
in use that doesn't have patch support.

One might also contend that I can't find software patches for Red Hat 8.0. 
Despite being able patch the code myself, I'm just not tuned into the 
security community well enough
 
> As for 'lots of eyes make for small bugs' chestnut, the counter-argument
> would be that in desktop-land Linux has 1% of the eyeballs, OSX, 9% and
> Microsoft 90%.  Hence, the Apple desktop is 9x more secure than Linux
> and Windows 90x.  If you disagree, then you also disagree with the
> original claim.  The issue of software security is too complicated to
> summarize in a single phrase.

The counter-counter argument is that those OSX and MS eyeballs you refer 
to don't have complete vision. They essentially testers because they can't 
see the code.

How many programmers, researchers, students and other concerned people are 
reading FOSS code? How many are reading closed code?

I talked with Rob Day recently and realised that he fits one of my 
theorized anecdotes about FOSS.

I used to use a theoretical case to explain this. Imagine a programmer 
that has a pet peeve about something. It could be wasted memory space, 
logic inefficiency, or some subtle or far-fetched vulnerability. He 
decides to scour a FOSS package looking to find or eradicate the issue and 
comes up with modest space savings. Would a corporate body have done this? 
If the perceived cost-benefit was too small, or just smaller than other 
options, then they would not do it. Would a community do this? Yes of 
course because one individual took initiative. 

Rob Day exemplified this because he had a peeve and knew how to deal with 
it. He saw a problem with the kernel source code. The config variables 
used in determining what features are compiled into the kernel had lots of 
errors. This was a problem that bothered Rob, but didn't bother other 
kernel programmers enough to do something about it. Rob did something 
about it. He created a relatively simple program that scanned for typos, 
uploaded the list to a web site and notified module maintainers of the 
problem.

Will all the kernel programmers out there, Rob was the first to come up 
with that idea. Imagine tens of thousands of programmers contributing to 
the kernel over the years and only one that created a solution to this 
problem. How many people have worked on the Windows kernel? probably 
hundreds, maybe a thousand. How many good ideas are not implemented?


John Van Ostrand
Net Direct Inc.
 
CTO, co-CEO
564 Weber St. N. Unit 12
map
 
Waterloo, ON N2L 5C6
 
john at netdirect.ca
Ph: 866-883-1172
ext.5102
Linux Solutions / IBM Hardware
Fx: 519-883-8533

More information about the kwlug-disc mailing list