[kwlug-disc] given enough eyeballs, all bugs are shallow?

Lori Paniak ldpaniak at fourpisolutions.com
Fri Jan 8 16:46:26 EST 2010


On Fri, 2010-01-08 at 13:37 -0500, john at netdirect.ca wrote:
> kwlug-disc-bounces at kwlug.org wrote on 01/08/2010 01:00:12 PM:
> > From: Lori Paniak <ldpaniak at fourpisolutions.com>
> > 
> > I don't believe that the culture of FOSS makes the software more secure.
> > In fact, there are examples of how it makes software more insecure.  For
> > example, the libssl fiasco in Debian/ubuntu of two years ago.  There,
> > the community (Debian package maintainer) decided to add value to the
> > code by eliminating all the "unnecessary" files from the code.  Of
> > course, along with them went the entropy to make decent keys.  It took
> > more than a year for the community to notice that SSL keys produced by
> > the code were defective and do something about it.
> 
> You cannot possibly mean that misusing a library is not possible in closed 
> source world.
>  

Actually it is worse than that.  The pathway of open source software
from programmer to end-user involves an intermediate state which not
present in proprietary software:  the package/distribution maintainer.
The people who code open source software belong to a project.  People
install distributions on their computers.  There has to be someone in
the middle to package projects into distributions.  I do not see how
this extra step can improve the security of a piece of software.  I gave
a concrete example of how this extra step can degrade system security.

Certainly, a large entity that produces proprietary software has
different divisions for creating and packaging code, but at least they
are under the same roof (so to speak).  

...
>  
> > When presenting the advantages of open source, we ought to stick to
> > demonstrable facts and avoid the psuedo-science of software sociology.
> > FOSS is made by people, just like code from the other guys and gals.
> 
> I find it useful to talk about motivations and capabilities. Demonstrable 
> facts tend to be statistics which are point-in-time measurements. The 
> former has more longevity.
> 
I'm lazy.  I like to win arguments with cold hard numbers.  They tend to
lead to shorter discussions with less hand waving.  I agree
"motivations" carry a lot of weight but they are usually among the first
casualties in a debate with an unsympathetic opponent.

...
> > As for 'lots of eyes make for small bugs' chestnut, the counter-argument
> > would be that in desktop-land Linux has 1% of the eyeballs, OSX, 9% and
> > Microsoft 90%.  Hence, the Apple desktop is 9x more secure than Linux
> > and Windows 90x.  If you disagree, then you also disagree with the
> > original claim.  The issue of software security is too complicated to
> > summarize in a single phrase.
> 
> The counter-counter argument is that those OSX and MS eyeballs you refer 
> to don't have complete vision. They essentially testers because they can't 
> see the code.
> 
> How many programmers, researchers, students and other concerned people are 
> reading FOSS code? How many are reading closed code?
> 

Then it degenerates into an argument about the "quality" of eyeballs.
Is an open source bug report worth more than a closed source bug report?
I suspect that the vast majority of bugs in a piece of code are found by
end-users in the course of normal usage, not by people reading source
code (has anyone ever *discovered* a bug by reading the source?).  If
true, then there is no open source advantage for finding bugs.  The
advantage arrives when it is time to fix the bugs.

...

> Will all the kernel programmers out there, Rob was the first to come up 
> with that idea. Imagine tens of thousands of programmers contributing to 
> the kernel over the years and only one that created a solution to this 
> problem. How many people have worked on the Windows kernel? probably 
> hundreds, maybe a thousand. How many good ideas are not implemented?
> 

Good point.  And thanks Rob!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20100108/00f35279/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list