Open Source Code Isn't a Warranty (opensource.com)

← Back to Stories (view on slashdot.org)

Open Source Code Isn't a Warranty (opensource.com)

Posted by timothy on Tuesday October 27, 2015 @03:46AM from the you-get-to-keep-and-fix-both-pieces dept.

An anonymous reader writes: Automotive software issues such as the Jeep hack and Volkswagen cheating on emissions tests have made headlines this year, which means the public is thinking about software in cars like never before. Some experts have argued that mandating that such software be open source is a solution to the problem. In an article on Opensource.com, Ben Cotton writes that although there are definite benefits to public scrutiny of the software, code visibility alone is no guarantee. It's an important thing to bear in mind, because "Open, therefore secure" is an easy straw man to knock down.

16 of 214 comments (clear)

Min score:

Reason:

Sort:

Guarantee by KatchooNJ · 2015-10-27 03:49 · Score: 3, Insightful

I think the better word choice is "guarantee" instead of "warranty" for the headline.

--
"Never give up, for that is just the time and place when the tide will change." -Harriet Beecher Stowe ^_^
1. Re:Guarantee by ShanghaiBill · 2015-10-27 04:10 · Score: 4, Insightful
  
  I think the better word choice is "guarantee" instead of "warranty" for the headline.
  Also, "visible source" would be better than "open source". Unless they actually mean that anyone should be able to copy, modify, fork, and redistribute.
2. Re:Guarantee by binarylarry · 2015-10-27 04:11 · Score: 2, Interesting
  
  But it allows you to create guarantee because you can audit it.
  For closed source software, you have to trust the supplier and their guarantee.
  Do you trust yourself or your proprietary software vendor more? It can be a hard choice in some situations.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
3. Re:guarantee by bobbied · 2015-10-27 04:15 · Score: 3, Insightful
  
  And there is no such thing as security in closed source software.
  I'm not so sure you can claim that. Where I will admit that closed source software has less people scrutinizing it and generally more eyes the better, I will not admit that makes it less secure. If security is important enough to the developer of a closed solution, important enough to actually cause the right things to happen during development and test to catch security issues before a solution is released, it can be as secure as any software out there. If you have the right people looking at it, looking for the right things, you can produce secure solutions that are closed source.
  You see, open source just allows more folks to look at the details, it doesn't mean that the right kind of people actually do look at it. With closed source, you can get secure by demanding it from your development team and giving them the resources to accomplish it.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
4. Re:Guarantee by Capt.Albatross · 2015-10-27 04:29 · Score: 3, Insightful
  
  Do you trust yourself or your proprietary software vendor more? It can be a hard choice in some situations.
  It's a Hobson's choice for me, as I don't have the time or resources to verify the software of my car, let alone those that I rent.
5. Re:Guarantee by jellomizer · 2015-10-27 04:42 · Score: 2
  
  For the VW incident. having the code open probably wouldn't do much, as it is just the settings/input file which would cause the damage.
  Your code could be perfect and still used for evil.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
6. Re:Guarantee by mwvdlee · 2015-10-27 05:01 · Score: 2
  
  That file would be considered source code as well.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
7. Re:Guarantee by ShanghaiBill · 2015-10-27 05:25 · Score: 3, Insightful
  
  I don't have the time or resources to verify the software of my car
  I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.
8. Re:Guarantee by Capt.Albatross · 2015-10-27 05:49 · Score: 4, Insightful
  
  I don't have the time or resources to verify the software of my car
  I don't have the time or resources to replace a bad head gasket in my car. But I am not going to buy a car with the hood welded shut.
  Many of the things you use are welded shut - integrated circuits, for example.
Re:"Open == Secure"? by SecurityGuy · 2015-10-27 03:55 · Score: 3, Insightful

They're both wrong.
Open == You can audit it if you want. It's absolutely no guarantee that anyone ever has.
However.. by Anonymous Coward · 2015-10-27 03:57 · Score: 4, Interesting

The more insight into code, the less likely companies will do what VW did because its open to public scrutiny. I think we should be focusing on the "Open, therefore open to scrutiny" than the misconception of "Open, therefore secure".
"Open, therefore secure" by gQuigs · 2015-10-27 04:00 · Score: 4, Interesting

or maybe...
Open, therefore not illegal to review?
Duh... by gweihir · 2015-10-27 04:15 · Score: 4, Insightful

Another stupid comment by people that do not understand the difference between a "necessary condition" and a "sufficient condition".
Open-sourcing the software/firmware in question is a necessary thing. That means it must be done. It is not a sufficient condition. That means it is not enough. It still must be done, but other things must be done in addition to get the desired outcome.
It is almost as if people do not understand basic logic anymore. No surprise so many things in the IT space get screwed up badly these days.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Nothing can prevent vulnerabilities by Willuz · 2015-10-27 04:29 · Score: 2

Open source vehicle code isn't about preventing vulnerabilities, it's about allowing owners to fix issues that the manufacturer does not fix. In the US an auto manufacturer is only required to perform recalls for 10 years after the initial sale of a vehicle. There are plenty of well maintained vehicles over 10 years old but if a new vulnerability were discovered in the software then the owner would have no way to get it fixed. If the software were open source then it would likely be fixed by someone other than the manufacturer and the owner could take the car to any shop to have the patch installed. Perhaps there needs to be a regulation requiring auto manufacturers to open source all of the code if they have not fixed a vulnerability within a set period of time. This would allow them to fix it and protect their code or force them to let someone else fix it if they don't want to do it.
Re:"Open == Secure"? by Hognoxious · 2015-10-27 04:53 · Score: 2

With open source, you have the option--no, the power--of getting a second opinion. From someone you select and fund, instead of whomever the original vendor hired.

Better yet, from one of their competitors.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Right by Impy+the+Impiuos+Imp · 2015-10-27 05:19 · Score: 2

When we considered open source in the vehicle 15 years ago, the lawyers clobbered it as they company likes putting the supplier on the hook for recalls.
In any case, the company is responsible for defects in the open source. You cannot wave away the rights of anyone you plow into, regardless of the cleverness of any disclaimers.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.