[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Closed source & Secutiry (was: Re: Smooth wall - more detailed)



On Thu, 30 Aug 2001, Haim Gelfenbeyn wrote:

> I feel that saying that "open souce can be trusted more than closed
> source" is a huge overstatement. There are certain (very few)
> open-source projects (Apache, Linux kernel, etc) which had security
> audits and someone except the author read the sources. However, for
> majority of open-source projects this is not the case. Take a look
> at any linux archive. While there are many quality software there,
> there are also lots of programs written badly, and no one in a clear
> mind should depend on them in any production environment.

while i agree with you that open source does not automagically mean
secure, i fail to see how that makes closed source programs MORE secure,
which you seem to imply.

open source gives you the POSSIBILITY of a security audit. closed
source doesnt. with closed source, you are at the mercy of whover wrote
it and whatever security skills they have. with open source, you at
least have a fighting chance....

> For Linux distributions the situation is even worse. More often then not
> you cannot depend on them to update all the packages with all the latest
> security patches. And it takes exactly one exploit to root the
> machine...
>
> So, if you have time and qualification to:
>
> 1. Review and audit the source code on a regular basis.
> 2. Actively look for updates and patches for all software installed.

you dont have to 'actively look'. passively looking (by subscribing to
bugtraq and to your distro's security announcements) is usually enough.

of course, if you want to be paranoid enough, either check, audit or
write your own software. that's what i did with all externally visible
components of my system (including writing a small customized web
server).

> Then open source is the way to go. But if you don't have time and
> qualification, then closed-source (or open-source but commercial)
> alternative, if maintained and supported properly, can be viable
> soliution.

i have no qualms with commercial software. i fail to see how a closed
source program can be touted as secure, for the simple reason that you
have NO IDEA WHAT IT REALLY DOES!

It all comes down to levels of paranoia, in the end. remember, just
because you're paranoid does not mean they aren't after you.
-- 
mulix
http://www.advogato.com/person/mulix

linux/reboot.h: #define LINUX_REBOOT_MAGIC1 0xfee1dead


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il