With open source software - trust but verify
Fri 15 Aug 2014, 09:49 AMTweet
by Ben Langhinrichs
Copyright © 2014 Genii Software Ltd.
What has been said:
1067.1. Nathan T. Freeman (08/15/2014 09:23 AM)
You can replace every instance of "open source" here with "proprietary" and the statement is exactly as true. Apple, Microsoft, IBM, Oracle and SAP ship software with as many security vulnerabilities as OpenSSL, Apache, Eclipse or the Linux Foundation. The "nefarious somebody" planting a vulnerability is even more likely with proprietary code. In fact, we know now that it's a virtual certainty with the NSA forcing major vendors to provide secret access through National Security letters.
At least with Heartbleed, once the threat was identified, there were thousands of developers and organizations that could act to fix it. There is no one that can fix the governmental backdoors into Skype or Facebook or Google or Hotmail or RSA except the occasional journalist that gets enough hype out of a piece to force the lawyers at big corporations to file federal lawsuits just to allow them to disclose the extent of the vulnerabilities.
1067.2. Paul Withers (15/08/2014 09:31)
A very valid point. But I would dispute anyone using that as a reason to tell developers not to use open source. As a developer or a consumer, sooner or later you've got to trust developers. All those Apple users trusted Apple. Yes, there's a failing of Apple's QA. But playing devil's advocate, should the consumer equally QA any software they choose to use, if all software has bugs?
1067.3. Ben Langhinrichs (08/15/2014 09:40 AM)
Nathan - Absolutely true about proprietary code, whether you wrote it or not. My worry is that there is a certain mystique about open source code (in the way that technology seems to attract quasi-religious faith) that leads some to think that it is somehow invulnerable. I would treat proprietary libraries with exactly the same degree of caution as open source libraries, but I have debated with people who seem to feel open source is automatically safer because you can see the source code. That is simply not true, hence my caution.
1067.4. Ben Langhinrichs (08/15/2014 09:46 AM)
Paul - Since all software has bugs, it provides no safe haven to write your own, and it is often better to rely on code from others, whether proprietary or open source. But as to your second point, it is unreasonable for consumers to QA the software they buy, which is why companies are responsible for the process. Nonetheless, do you trust any software or device you buy absolutely, or do you keep a sense of caution? Rudi likes to tell stories about how customers in Germany (a rule following place) wound up driving into rivers or off the road because their GPS said to. We have to trust software and hardware within reason, but we also have to trust those who sell to us to do due diligence. As a vendor of software, that is my job, whether I am using software I have written, bought or gotten for free.