Women in Technology

Hear us Roar

  Open Source Security: Still a Myth
Subject:   a little editing --
Date:   2004-09-17 18:05:27
From:   joelrees

In the paragraph before "The Market for Secure Software", shifting from the problems amateurs have with SSL (TLS?) to the laziness amateurs have when faced with complex security interactions, you say:

That is, instead of fixing potential problems and moving on, they'll try to force security auditors to spend hours of precious time demonstrating exploitability. This actually tends to be more of a problem in the open source world than in the commercial world, because commercial projects typically are driven more by schedules. Managers often are already worried about sticking to their schedule and will try to railroad developers into taking the easy road, ...

Are you sure you didn't mean to say, it actually tends to be more of a problem in the commercial world because of the schedules?

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • a little editing --
    2004-09-18 09:54:11  stinkingpig [View]

    No, he's saying that because of the tight timelines, people can't waste days and weeks on arguing over whether something should be done. If the developers and the auditors disagree over whether the implementation should be changed, then they put their relative cases forward in a meeting with project management and/or product management, a decision is made, and the results are acted on. If one side doesn't like the decision, they may grumble but they're not able to do much more than that unless they want to quit their job.

    In the open source world, disagreements can produce complete deadlock and a forked or competing project. XFree86 > X.org, anyone? LRP > LEAF? KDE vs GNOME vs a thousand others? I like the wild west atmosphere of it because I get to pick and choose a set of software that supports my needs well, but supporting a few thousand PEBCAKs with Linux desktops would be an interesting experience.
  • a little editing --
    2004-09-17 18:20:48  joelrees [View]

    Separating the edit from the critique, I think the error reflects the fuzziness of the approach. It seems to me that the author, recognizing that the many eyes argument shifts in quality for the small audience projects, but not thinking through.

    As one reply has already noted, at the very minimum, open source offers more potential for external audit than closed source. Closed source contains inherent barriers to external audit. Just like with voting machines, it is the external audit that allows for real engineering audits to begin.

    One more pet peeve: commercial vs. open source is a false argument. Large audience open source is without exception commercial.