Timeline for Can you create a fake (malicious) Ubuntu iso
Current License: CC BY-SA 4.0
15 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 22, 2021 at 19:48 | comment | added | Thorbjørn Ravn Andersen | @jimmijames no that is not what I am saying. I don’t know how you concluded that. Let me phrase it otherwise - the amount of code to review increases faster than the amount of eyeballs to do the reviewing. | |
| Aug 22, 2021 at 17:21 | comment | added | Steffen Ullrich | @JimmyJames: "To mount an argument that OSS doesn't provide a benefit here, you need to have statistics, not just anecdotes." - I'm only questioning the claim made by the author of the answer. Based on your argumentation the author would need to show the statistics to support their claim. Maybe you could help the author here. | |
| Aug 22, 2021 at 17:18 | comment | added | JimmyJames | @ThorbjørnRavnAndersen So close the source so there's no way to review it? I'm not arguing that OSS is a sufficient condition for security researchers to find vulnerabilities, rather that it's more akin to a necessary condition. | |
| Aug 22, 2021 at 17:16 | comment | added | JimmyJames | @SteffenUllrich I once worked with a person who told me that their sister-in-law got into a car wreck and some large logs came through the windshield. The claim was that she survived only because she wasn't wearing a seatbelt. I'm not completely sure of the veracity of this story but I can imagine how that might happen and even if it did, I still think wearing a seatbelt is a good idea. To mount an argument that OSS doesn't provide a benefit here, you need to have statistics, not just anecdotes. Also, how does the fact that a security researcher found Heartbleed fit into your argument? | |
| Aug 22, 2021 at 7:08 | comment | added | Thorbjørn Ravn Andersen | @JimmyJames The "given enough eyeballs" premise is not holding. Modern software has reached a size where most people are not interested in scrutinizing software not immediately relevant to what they want to do with their computer, so there simply isn't enough eyeballs to cover everything. Also real malicious code still works well enough so there is no bug reports, and therefore no reason to look at it. | |
| Aug 21, 2021 at 3:07 | comment | added | Steffen Ullrich | @JimmyJames: This was only an example of a critical project where the lack of review was obvious. There are lots of vulnerabilities in OSS and there are lots in closed source. The initial argument I was making was that OSS is not just magically better before everyone in theory can review it - because this does not necessarily actually leads to more high quality reviews. There are lots of examples for good and bad for both closed and open source. At the end it depends where the efforts are actually spend, i.e. where money, time and knowledge is. And this can be both open and closed source. | |
| Aug 20, 2021 at 21:30 | comment | added | JimmyJames | @SteffenUllrich I'm not, in general, disagreeing with you but I'm not sure it's a valid argument to point to one defect found in OpenSSL as proof that OSS doesn't provide advantages in this context. There are an immense amount of vulnerabilities that have been found in closed source products. If that's the only example you can find, then that's pretty good compared to the apparently endless stream of vulnerabilities that have come of MS over the years. | |
| Aug 20, 2021 at 18:04 | comment | added | Steffen Ullrich | @JimmyJames: Just because review of OSS is easier does not mean that it is actually done in the needed extend and quality. Just take a look at OpenSSL: essential part of many applications for years but not enough review, leading to bugs like Heartbleed. Only after this bug companies started to invest sufficient money to maintain the code base, which then led to a considerable improvement. Good developers are scarce which means that they usually have well paid jobs and not much time to do free code review. This leaves unpaid code review to less experienced developers or nobody is doing it. | |
| Aug 20, 2021 at 15:56 | comment | added | JimmyJames | @SteffenUllrich This is true but with OSS, it seems to me that access to open source by researches e.g. at universities all over the world is a key factor. In order to do similar analysis on closed source, those same researchers need to have been given permission and most likely sign a bunch of legal documents such as NDAs. This pretty obviously raises the bar to access significantly compared to a publicly accessible repo. And even if they find major issues, they may not have the right to publish anything about them which is the whole point, from their perspective. | |
| Aug 20, 2021 at 15:50 | comment | added | JimmyJames | @user253751 Per wikipedia: "The essay's central thesis is Raymond's proposition that "given enough eyeballs, all bugs are shallow" (which he terms Linus's law): the more widely available the source code is for public testing, scrutiny, and experimentation, the more rapidly all forms of bugs will be discovered. In contrast, Raymond claims that an inordinate amount of time and energy must be spent hunting for bugs in the Cathedral model, since the working version of the code is available only to a few developers." | |
| Aug 19, 2021 at 23:54 | comment | added | Frank Jackson | @user253751 - I may have to re-ready it myself 20 years later. I always felt that the essay gave a good indication of the open vs closed source benefits/penalties. but the essay is based on open source. So you are correct. It might not be the best reference material - happy to remove it from my response. | |
| Aug 19, 2021 at 23:46 | comment | added | Frank Jackson | @SteffenUllrich - totally agree. The statement was to show that saying OS is more insecure simply because the code is visible creates a false-dichotomy and there are significant other factors that should be taken into account. | |
| Aug 19, 2021 at 14:24 | comment | added | Stack Exchange Supports Israel | Was The Cathedral and the Bazaar really about open vs closed source? IIRC it was more like two kinds of open source. But it was a long time ago that I read it. | |
| Aug 19, 2021 at 8:52 | comment | added | Steffen Ullrich | "Peer reviewed code is significantly more secure." - that statement is true. But it is not true that OSS is always peer reviewed or that the peer reviews have a high quality and therefore OSS has a better quality. Just because the source is open does not magically create experts which have time and knowledge and nothing else to do than reviewing the code. There were enough disasters in the past which showed a lack of good review or any review at all in open source, even for critical software components like OpenSSL. It does not mean that OSS is worse, but it also does not mean it is better. | |
| Aug 19, 2021 at 7:38 | history | answered | Frank Jackson | CC BY-SA 4.0 |