Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Cites Open Source Core Security

Posted by pudge on from the you-wily-software-vet-you dept.

ChilyMack writes "In a CNet article, Apple senior vice president Bertrand Serlet says, 'A lot of security problems derive from the core ... [With open source code,] thousands of people look at the critical portions of source code and ... check those portions are right. It's a major advantage to have open-source code.'"

3 of 69 comments (clear)

  1. Odd they bring this up now by Black+Cardinal · · Score: 4, Interesting

    Especially considering how just a few days ago Steve Jobs was saying in an interview here. [alwayson-network.com] how they were trying to not be blatant about trumpeting this advantage to avoid becoming a target for viruses and other security breaches.

    Although, if Steve Jobs points that out in an interview, then how low-profile can it really be?

  2. Re:Well... by prockcore · · Score: 3, Interesting


    Though most of the directly network-exposed stuff seems to be generally open source (well, dunno about Rendevous).

    There's an simple rendezvous implementation that's open source called mDNSResponder. This is the library released for linux and darwin.

    However, this is not what OSX apps use for rendezvous. They call functions in the core services. The code in the core services is not opensource and probably uses little of the mDNSResponder library.

    But even if it did use the mDNSResponder library, just because it's open source doesn't mean it is secure.

    At the core of mDNSResponder is a single 318k file called mDNS.c

    It is really tough to work on because it is such a huge mess.. and this is the code they released to the public.

  3. Re:It's the open source! by NexusTw1n · · Score: 3, Interesting

    By that logic Apache should have more exploits than Microsoft's web server

    It possibly does.

    361 Apache Advisories on Buqtraq VS 141 IIS advisories

    A rough and cheap example, but never the less a belief that Apache is somehow super secure is a nonsense.

    The many eyes argument is a tired one - how many people actually check the code, how many of those people are experienced enough to find vulnerabilities?

    Look at the DARPA funded Linux Security effort. It died because noone was contributing.

    Open source is great because you can read the code, but a belief that someone else must be auditing that code leads to security through delusionment - unless YOU are auditing the code, and unless YOU are trained to know how to audit it well, don't assume anyone else is.

    --
    It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein