Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defending Open Source Security

Posted by michael on from the as-if-it-needed-defending dept.

dpilgrim writes "DevX's A. Russell Jones as thrown down the gauntlet, questioning the security of Open Source software. I've picked up the gauntlet and posted a response over on the O'Reilly Network. As previously discussed on /. Jones' comments are too controversial to ignore."

3 of 260 comments (clear)

  1. Article rating and devx hosted rebuttal. by FauxReal · · Score: 5, Informative

    Open Source Is Fertile Ground for Foul Play Average Rating: 1.2/5

    The rebuttal "Who's Guarding the Guards? We Are" , also hosted at devx. Average Rating: 4.9/5

    --
    Deltron 3030 - Virus (music video)
  2. Re:Best point is the last by thelen · · Score: 4, Informative

    can you trust a precompiled Apache HTTPD from ACME GPU/Linxu

    Nope, but you also cannot trust Thugs R' Us Locksmiths.

    OSS commoditizes software: it devalues code in exchange for freedom of collaboration, the ability to build on others' successes, probably a greater amount of software overall, and I would argue, a faster development cycle. The author of the original article apparently thinks that this is a detriment because it makes it easy to start a malicious company like ACME GPU/Linxu to sell a forked open source product with intentional security holes.

    But we're used to this problem in other industries where products become commonly available and people can form their own businesses utilizing those commodities. And while there *are* scams, most of us accept that we need to exercise judgment in whom we trust. Anyone can go out and buy locksmithing equipment, but if you skip over a known, reputable and trusted vendor in favor of the cheaper 'Thugs' alternative, you get what deserve: a lock with more keys than you know about.

  3. Re:Laughable assertions by Anonymous Coward · · Score: 4, Informative

    You've apparently never been a virus author or cracker or dealt with cleaning up a business site after them, have you? They break in because they *can*, partly as a proof of their "genius" or because they want to steal resources (such as big bandwidth and FTP space) for their own use.

    These jerks can, and do, break into developer's home machines and business machines and steal or modify code to plant bugs. The wonderful thing about open source is the open code review *finds* these damn things, and the huge variety of source repositories and approaches to checking them makes it almost impossible to slip in a back door un-detected. And the openness of the user community gets the warning out to the rest of us extremely quickly, rather than the typical corporate software problem where it gets described to the vendor and ignored for many months or even years until it starts being actively used for a wide-scale virus.

    Unfortunately, the closed source also frightens people away from using patches to closed source software, because you can't verify what else was patched and it *does* often break core programs. So avoiding patches becomes corporate policy to protect the stability of your servers, as opposed to correcting issues when they are discovered.

    And security issues *will* be discovered. No system as complex as a large-scale web server or mail-server can be created entirely without bugs.