Comment by rurounijones
5 years ago
> When some open-source project has some level of reach there needs to be quality requirements and regular security audits. (like they (last?) did in 2016, https://daniel.haxx.se/blog/2016/11/23/curl-security-audit/)
I think the key question with that is: It all sounds nice, but who is realistically going to pay for it. _especially_ repeatedly.
That's indeed the failure of the system : something sensitive used by billions not being able to pay for a regular audit.
If no one wants to pay for it to have the required quality, why not make it a public utility properly funded by tax, as a public service ; instead of later paying the costs in various form of the consequences of the vulnerabilities.
How about the companies who need that sort of security audits for the software they rely on?
I haven't seen much evidence of this happening on anything approaching a wide scale. For example the piece of software in the article is used almost everywhere, governments, companies etc and yet it still cannot get the funds for yearly audits.