Re: Gauntlet: source code anyone ?

[David C Niemi <niemi () tux org>]

On Mon, 22 Mar 1999, Darren Reed wrote:
...
> In occurs to me that computing is becoming increasingly more appliance
> based and that appliances, by nature, are typically black-boxes.  If I
> feel I need to review the source code for a product, then there is
> something fundamentally wrong.  Being able to obtain it is, IMHO, a
> luxury and we've grown used to being spoilt.

If it is something customers find important, it is not a luxury.  There is
no reason customers suddenly can no longer deserve having source.  I think
the big change here is that (a) big, deep-pocketed, and highly proprietary
vendors are throwing FUD at the less proprietary (and often more
successful) products, and (b) the number of users of firewalls and other
security products has ballooned far faster than the number of people who
have any meaningful understanding of them.  At the same time the number of
people who can make good use of source code is increasing too, just not as
quickly, and they are being dwarfed by the number of people who just know
how to use a "wizard" and don't understand any of the underlying
technology.  That in no way reduces the soundness of making source code
available, it just is a reflection of the ability of companies with deep
pockets and big marketing budgets and a lack of scruples to make
technically superior competing products look bad in the eyes of the public.
This battle has to be fought in the marketing arena, not the technical one.

I don't think it's at all fair to insist that if few users actually modify
the source code of a firewall, or if few do intensive audits of the code,
that there is no customer need for available or modifiable source code.
Realistically, only very large or very security-oriented organizations are
likely to have the time to review source code as a matter of policy, and
no-one will sensibly modify the source code unless they need some
functionality which the standard product does not provide.

On the other hand, when prompted by a particular need, like a subtle
compatibility problem or an urgent security question, I find it immensely
valuable to be able to look at the source code of the product to figure out
why it is doing what is doing or whether it handles a particular problem
correctly.  This is useful even with vendors you trust and products that
work quite well and are documented quite well; documentation simply cannot
cover every detail of the implementation.  No, I don't consistently peruse
every package I could that has source code, but the availability of source
is a big plus for me.  If you want to appeal to the nontechnical
checkbox-validating market, you will have to compete largely on the
strength of your marketing division.

...

> To end this, I'd suggest that perhaps the problem isn't availability of
> source code, but the suggestion/perception that we need it because we're
> not prepared to trust vendors.

Is it our fault we don't trust vendors?  A lot of vendors have given their
customers good reason to be suspicious.

It isn't just a matter of source code, there are many other areas of
trouble too, such as file formats.  A security vendor I've been stuck with
refuses to document the format of binary files used to exchange public
keys, and when I expressed concern about what other data might be mixed in
with the public key data (there has been some reason to be concerned that
the pass phrases or even the private keys may be in this file in some
form), the vendor emphasized that any attempt to scrutinize the file format
would void my user license.  Is it just me, or is that an unacceptably
arrogant attitude?  Why on earth should I trust a vendor like that?  But
somehow many people do.

----   David C Niemi   ----niemi at tux.org----   Reston VA USA   ----
A key goal of good science fiction is to provoke debate on difficult
ethical questions and personal challenges which would be imposed by
social structures and technologies which the world has not yet faced.