Open Source Security: Still a Myth
Subject:   An extremely flawed article
Date:   2004-09-17 11:23:22
From:   McAction
This was very disappointing to read on oreillynet.
1) Reputation is as valuable a motivator as money. No developer wants their project to be thought of as insecure. Microsoft's biggest problem and the cause of their imminent downfall is that no one trusts them.

2) There is NO guarantee that propriety software developers run these stringent audits the author fantasizes about. FOSS may be guilty as charged, but so is EVERYONE else.

3) The not-so-subtle implication throughout the article that open source developers are necessarily average is insulting and obviously wrong. Average and below average developers are plentiful in the commercial software industry--anyone have a different experience?

4) Near the end of the article he claims that security has to be measured on a case-by-case basis yet he painted with a broad brush throughout the entire article. So, which is it?

5) Not yet "secure enough"? Daily we relearn that the pinnacle of proprietary development (Microsoft) causes more security headaches than any other vendor.

Overall, this was an extremely sad article. It just did not have any positive value.

Full Threads Oldest First

Showing messages 1 through 5 of 5.

  • An extremely flawed article
    2004-09-17 11:26:14  McAction [View]

    I forgot the big one: with open source at least anyone and everyone has the opportunity to do whatever security audit they wish. Try demanding that you neeed to audit the source code of Outlook before you deploy it--see what Microsoft says. Good luck!

    Case closed.
    • An extremely flawed article
      2004-09-17 11:58:34  Shane_Brodie [View]

      I get such a kick out of reading the reactionary articles submitted by card-carrying members of either the commerical software industry or the open source community that I can't help but chuckle.

      No-one in their right mind thinks of software in the strictly black and white ideals of commercial or open source. Following either path blindly would be foolhardy.

      Stating that Microsoft software is insecure, while it "may" be true, it can hardly be held up to open source and compared. After all open source does not have tens of thousands raving "anti open source" troglodytes actively working to discredit it.

      Real programmers, IT Managers, and knowledgeable end-users know that they can get the best bang for their dollar/yen/euro/peso/etc. etc. by striking a balance on all of the alternatives.

      Why can't we all just get along ...
    • I'm Not Convinced
      2004-09-17 11:55:30  chromatic | O'Reilly AuthorO'Reilly Blogger [View]

      I think that to prove your case, you'd have to prove that having the source code available for people to audit actually leads to widespread audits and security fixes. Otherwise, you're arguing a point that John deliberately didn't address.

      Certainly the availability of auditable code and the ability to produce patches might mean that open source code could have more people doing security audits and fixing problems before exploits appear -- but postulating that people could fix problems doesn't mean that people will or actually do.

      Unrealized potential may be nice to have, but it doesn't do really do anything for you until someone puts work into realizing it.

      I'm not interested in anecdotes and I'm very disinterested in comparisons between Apache and IIS or Outlook and mutt. I want real data, not handwaving.
      • I'm Not Convinced
        2004-09-17 12:17:08  McAction [View]

        I absolutely agree that potential doesn't equal action and that some hard data would be very helpful. However, there was no hard data in the article either. I used the same sort of arguments that the author used, so I guess my comments probably were lacking in value as well.

        • I'm Not Convinced
          2005-01-18 21:03:45  musnat [View]

          I think you are using open source zealtory, which has no merit at all.

          Microsoft does share its source code with governments. That means a lot to anybody who is making a decision to buy Microsoft software. Everybody knows for sure that Microsoft's software has been checked out by other people who doesn't have a common interest to cheat you, China vs US etc...

          On the other hand, we don't know who is really checking out open source. There is no formal way of knowing that.

          You have no arguments, I think, you are simply one of the thousands of open source zealots who is more than ready to lie and distort facts or come up with all sorts of nonesense.