Open Source Security: Still a Myth
Subject:   Summary
Date:   2004-09-17 05:44:21
From:   dscotson
I think your argument could be summarized as follows

"Small, underused, badly-coded open source apps, written for their own amusement by amateurs and volunteers who overestimate their own abilities in the fundamentally difficult field of security will have more problems than large, widely-used, well-written, proprietary apps authored and audited by humble yet skilled full-time professionals for big business."

Unfortunately, you could reverse the positions of 'open source' and 'proprietary' and get an equally true assessment (in my opinion).

The fact that the word 'commercial' is used repeatedly as the antonym of 'open source', suggests you think that it is, at the very least, uncommon for that reversal to hold true. This a symptom of the wider problem that ensures the article misses the more interesting questions e.g.

If Sun open sources Solaris (as they claim they will) will it become more or less secure?

I'm guessing the answer would be "that used to be commercial [sic], therefore it doesn't count as open source". But I have the intuition that the combination of open source and commercial, professional development will be more effective than either alone.

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • Summary of summary
    2004-09-17 09:45:04  chillhaze [View]

    With all due respect, I think your rebuttal could be summarized as follows:

    I'm an open source supporter, and the author has gored my ox. Despite stating quite plainly that open source was no more insecure than 'commercial' software, just not better as some people have claimed, he must be wrong because ... well, just because.

    I have an opinion that things are different, though I have no real proof to offer at this time.

    I would prefer the author discuss the concept that 'commercial software != open source software', because I think that is more interesting.

    I would also request the author consider this poorly fleshed-out example, which does not actually conflict with the article. My intuition is that somehow combining open source and "closed, professional development" would be somehow better than current practices, even though I can offer no reason for such an outcome.

    Wouldn't a simple "You're wrong, dead wrong" have sufficed?
    • Correction
      2004-09-18 05:59:05  dscotson [View]

      I'm not sure who gored *your* ox, but if you want to rail incoherently against imaginary free software zealotry then carry on.

      I only ask that if you're going to directly quote me, then at least get the words correct. I was speculating about the combination of the mooted open source security advantages with "commercial, professional development" (as recommended by the original author) since the two concepts are clearly not mutually exclusive.

      Substituting 'closed' for 'commercial' makes the quote as confused as the rest of your response is on the distinction between the two concepts.