Comment by varispeed
4 years ago
Nothing is perfect, but is it better than not having any eyes? If anything, this shows that more eyes is needed.
4 years ago
Nothing is perfect, but is it better than not having any eyes? If anything, this shows that more eyes is needed.
The argument isn’t having no eyes is better than some eyes. Rather, it’s commonly argued that open source is better for security because there are more eyes on it.
What this research demonstrates is that you can quite easily slip back doors into an open contribution (which is often but not always associated with open source) project with supposedly the most eyes on it. That’s not true for any closed source project which is definitely not open contribution. (You can go for an open source supply chain attack, but that’s again a problem for open source.)
> it’s commonly argued that open source is better for security because there are more eyes on it.
> What this research demonstrates is that you can quite easily slip back doors into an open contribution
To make a fair comparison you should contrast it with companies or employees placing a backdoors into their own closed source software.
It's extremely easy to do and equally difficult to spot for end users.
Recruiting a rogue employee is orders of magnitude harder than receiving ostensibly benign patches in emails from Internet randos.
Rogue companies/employees is really a different security problem that’s not directly comparable to drive-by patches (the closest comparison is a rogue open source maintainer).
4 replies →
To make it a fair comparison you should contrast... an inside job with an outside job?
3 replies →