On Sep 7, 2013, at 9:39 AM, Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com>
wrote:
Nor does being open source provide any additional security, only review
provides security and it is hard enough getting people to review other
people's code when you pay them to do that. Expecting people to spend their
time reviewing other people's code for fun is naive. Kerberos had a major
architectural flaw that went unnoticed for over a decade.
On the contrary, I used to suffer through security audits on ISC DHCP code back
in the day; people were doing this entirely on a volunteer basis. I think
it's incorrect to suggest that open source code doesn't get audited, and indeed
it's likely that it gets audited more thoroughly and more usefully than a lot
of closed source code.
It really depends on the setting. My own company sells closed-source code;
Andrea asked me the other night whether I thought there might be something
scary in the code. I thought about it, and concluded that it was unlikely,
because we have a very small, tight team, and everybody sees all commits. I
think it would be difficult to suborn our code without everyone on the team
knowing about it, and knowing who is on the team, that would quickly be the
rest of the world.
An open source project with a less tight team, or a completely suborned team,
might be far less trustworthy. But another closed-source project might be far
worse, if for example the repository were so big that nobody watched all
commits, and the set of committers so large that it would be easy to suborn one
of them.
I think the only rule you can go by here is caveat emptor, whether the code is
open or closed. You need to actually figure out who you are doing business
with.
As for compilation versus source, that's a real issue, but open source is a
clear win here, because you have both the input and the output, and you can
compare them. Here, an open source project with a clear build process that is
replicable is a huge win over one that is complex and wonderful and
non-replicable. Knowing quite a few of the latter, I hope to see improvements
that some increased paranoia might yield as people flock to the more verifiable
builds, and the projects with poor build processes fix them.