I find people who agree with me for the wrong reasons to be more problematic than people who simply disagree with me. After writing a lot about why free software is important, I needed to clarify that there are good and bad reasons for supporting it.

You can audit the security of proprietary software quite thoroughly; source code isn’t a necessary or sufficient precondition for a particular software implementation to be considered secure.

  • federico3
    link
    fedilink
    arrow-up
    8
    ·
    3 years ago

    While the article provides good description of fuzzing, static analysis etc it focuses only on a set of threats and mitigations. There is much more:

    • “How security fixes work”: Linux distributions do a ton of work to implement security fixes for stable releases without input from upstream developers. (And sometimes projects are completely abandoned by upstream developers). The ability for 3rd parties to produce security patches depends on having access to source code and it’s absolutely crucial for high-security environments (e.g. banks, payment processors…). Some companies pay a lot of money for such service. This aspect is a bit understated under “Good counter-arguments”.
    • Software supply chain attacks are a big issue. Open source mitigates the problem by creating transparency on what is used in a build. OS distributions solve the problem by doing reviews and freeze periods.
    • Some Linux distributions go even further and provide reproducible builds. This is not possible with closed source.
    • A transparent development process creates accountability and limits the ability for a malicious developer to insert backdoors/bugdoors. This is quite important.
    • Access to source code, commit history and bug trackers allows end users to quickly gain an understanding of the quality of the development process and the handling of security issues in the past.
    • …it also enable authorship and trust between developers and users.
    • End users and 3rd parties can contribute security-related improvements e.g. sandboxing.
    • Companies can suddenly terminate or slow down development or security support. Community driven projects, and the ability to fork projects strongly mitigates such risk.

    I agree that claiming that something is secure just because it’s FLOSS is an oversimplification. Security is a much bigger and broader process than just analyzing a binary or some sources.

    • SeirdyOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      3 years ago

      You make a lot of good points here, many of which I actually agree with.

      The article focused on studying the behavior and properties of software. For completeness, it mentioned how patching can be crowdsourced with the example of Calibre. I also described how FLOSS decreases dependence on a vendor, and wrote two prior posts about this linked at the top.

      I never claimed that source code is useless, only that we shouldn’t assume the worst if it isn’t provided.