From owner-freebsd-questions@FreeBSD.ORG Fri Jun 5 18:10:36 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8897C1065686 for ; Fri, 5 Jun 2009 18:10:36 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from outbound-mail-14.bluehost.com (outbound-mail-14.bluehost.com [69.89.18.114]) by mx1.freebsd.org (Postfix) with SMTP id 54F5B8FC20 for ; Fri, 5 Jun 2009 18:10:36 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: (qmail 24163 invoked by uid 0); 5 Jun 2009 18:10:36 -0000 Received: from unknown (HELO box183.bluehost.com) (69.89.25.183) by outboundproxy1.bluehost.com with SMTP; 5 Jun 2009 18:10:36 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=OY1LFhft2uw6xpyA1e0X7Nn+HvNse/3Jnf+STbC9bQ0ZDk/5GMKusf3wk4ZgKa0MYQIMqbtBgMrat5brhhPhMDC95xRPejYj6WbMw1opto5mAYw+uSoG/EOIvI9CyEPD; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kokopelli.hydra) by box183.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1MCdsB-0001aa-OT for freebsd-questions@freebsd.org; Fri, 05 Jun 2009 12:10:36 -0600 Received: by kokopelli.hydra (sSMTP sendmail emulation); Fri, 5 Jun 2009 12:05:12 -0600 Date: Fri, 5 Jun 2009 12:05:12 -0600 From: Chad Perrin To: freebsd-questions@freebsd.org Message-ID: <20090605180512.GD87456@kokopelli.hydra> Mail-Followup-To: freebsd-questions@freebsd.org References: <20090603091800.GA1177@phenom.cordula.ws> <20090603102720.GB1349@phenom.cordula.ws> <20090603133343.GB1988@phenom.cordula.ws> <4ad871310906030653o62d7e708w1a7be44334ab8dab@mail.gmail.com> <20090603152939.GF1988@phenom.cordula.ws> <20090603185039.54cdd820.freebsd@edvax.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T7mxYSe680VjQnyC" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Identified-User: {737:box183.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: Open_Source X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jun 2009 18:10:37 -0000 --T7mxYSe680VjQnyC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 03, 2009 at 08:32:38PM +0200, Wojciech Puchar wrote: >=20 > Everyone can find them and fix, but at the same time everyone can find=20 > them and use them. >=20 > With closed source both are more difficult. That's not strictly true. In general, it's easier to discover vulnerabilities through reverse engineering techniques, fuzzing, et cetera, than by sifting through source code. The exceptions are cases where someone made a *really* bone-headed coding error. As a result, except when a programmer who adds code to the project is just completely incompetent (or has such an incompetent moment -- we all make mistakes), and it somehow passes review by other people on the development team (unlikely unless people aren't reviewing each others' code), it really isn't any easier to discover security vulnerabilities in open source software than in closed source software. The purely technical difference provided by open source software when it comes to vulnerability discovery and patching is that, once a vulnerability has been found, its origins in the source code can be tracked down and patched by *anyone*. In short, in technical terms, open source software makes it easier to *fix* vulnerabilities because it opens the pool of potential patch developers beyond the core team, but it doesn't really make it any easier to *discover* vulnerabilities in the general case. Then, of course, there are the social effects -- which encourage people who have a healthy interest in the software to contribute to its security and stability through a number of related social mechanisms. Overall, it's a tremendous win for open source software development. That doesn't mean that any given open source application will necessarily, inherently be more secure than any given closed source equivalent. It does, however, mean that if you're a betting man, your chances of winning a bet lie with the open source application, all else being equal. >=20 > >In MICROS~1 land, you give yourself entirely into the hand of a > >corporation that is not interested in selling secure products, >=20 > So this is not open/closed source problem, but micro-soft approach. > They just don't care about security. As they don't care about performance= =20 > and about bugs. But that's just micro-soft. Part of the problem of closed source software is that it provides a kind of "safe haven" for such unscrupulous software developers and vendors, where many such failings of secure development may go unnoticed due to the inability to determine exactly what's going on under the hood once you've noticed there's something wrong with the application. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] Common Reformulation of Greenspun's Tenth Rule: Any sufficiently complicated non-Lisp program contains an ad hoc informally-specified bug-ridden slow implementation of half of Common Lisp. --T7mxYSe680VjQnyC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkopXlgACgkQ9mn/Pj01uKV8BQCZASc8d8ZWRx/o1XZmYtUfhIdt huQAoOFzkBVq3T1rEwJO/5QoZzHn6y2h =UOVK -----END PGP SIGNATURE----- --T7mxYSe680VjQnyC--