Security Basics mailing list archives
Re: Why open source software is more secure
From: Chad Perrin <perrin () apotheon com>
Date: Tue, 13 May 2008 13:09:14 -0600
On Tue, May 13, 2008 at 10:29:54AM -0700, Hayes, Ian wrote:
In addition, the recent announcements from Debian and Ubuntu sort of help throw out the idea that open source is inherently "more secure".
Really? You think a single anecdotal instance completely invalidates a heuristic measure of security? Have you studied formal logic at all?
According to the Debian Security Advisory, a Debian package manager introduced a fault into the OpenSSL package for Debian in 2006 and has persisted until now.
This was a failure of communication, not of the open source "security through visibility" model. The increased probability of security in open source development, all else being equal, is a matter of opportunity and tendency -- not of 100% inviolable "always completely secure" status. If someone said that open source softwar was always 100% secure, period, I'd agree that this instance is an effective disputation of that statement. If someone said something reasonable, however, like "open source development models tend toward greater security", I'd have to say that this incident serves to disprove *nothing* in that statement. I wonder how many closed source softwar projects have the same problem (or similar problems), but we don't know about it because they're closed source projects and the only people discovering the problems are users of fuzzing tools and the like. I'll keep wondering, too, because by the very nature of closed source development we have no way to find out. All we know is that the number of people with the ability to go through source code looking for stupidities like this is greatly reduced in equivalent closed source development projects, and that the motivation for security testing dilettantes to find and report problems is greatly reduced with closed source projects as well -- especially in cases where submitting bug reports actually costs money or security researchers are badly treated (or both, as in the case of Microsoft). -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Patrick J. LoPresti: "Emacs has been replaced by a shell script which 1) Generates a syslog message at level LOG_EMERG; 2) reduces the user's disk quota by 100K; and 3) RUNS ED!!!!!!"
Attachment:
_bin
Description:
Current thread:
- RE: Why open source software is more secure, (continued)
- RE: Why open source software is more secure David Harley (May 08)
- RE: Why open source software is more secure Hayes, Ian (May 08)
- Re: Why open source software is more secure Chad Perrin (May 08)
- Re: Why open source software is more secure aliasghar.toraby () gmail com (May 08)
- Re: Why open source software is more secure Adriel Desautels (May 08)
- Re: Why open source software is more secure Ivan . (May 09)
- Re: Why open source software is more secure Alexander Klimov (May 12)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Hayes, Ian (May 13)
- Re: Why open source software is more secure Chad Perrin (May 13)
- RE: Why open source software is more secure Robinson, Sonja (May 12)
- RE: Why open source software is more secure David Harley (May 08)
- RE: Why open source software is more secure Craig Wright (May 13)
- RE: Why open source software is more secure Murda Mcloud (May 09)
- RE: Why open source software is more secure Chuck Taylor (May 09)
- RE: Why open source software is more secure Nick Vaernhoej (May 09)