On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote: > On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts > <jperryhouts@gmail.com> wrote: > > I can't speak to those packages specifically but I think the answer > > you'll get from most people, especially in this community, is that > > non-free software is inherently insecure because you can't know > > exactly what it is doing. Thus, a fully free system such as Debian > > with only main enabled or Trisquel or so is, in principle, more > > trustworthy than any system running non-free code. > > > > That said, free code can of course have bugs and security holes too. > > It's probably less likely, with a community of thousands auditing it > > versus a closed group of developers, but it happens. > > This falls on the assumption that people actually audit the open > source software they use, which most of the time is not the case > because they have the same mentality you imply you have: "with > thousands auditing it, why should I? it must be secure"... by that > logic with millions auditing Android we shouldn't have had the > recently huge crypto issue in Android right? You know, the one that > slipped by for years. We shouldn't have had several other bugs that > were years unnoticed in other software. Exactly. There's a bunch of simple-to-spot mistakes in open source software because nobody actually reads the source. Android has/had a bunch of such mistakes for quite a while: Reuse of IVs in a block cipher, simple filesystem races, missing input sanitation, missing delimiters... a lot of this is really simple stuff that anyone reading the code should be able to spot. Often, coders who don't have a lot of experience with security just write their code and maybe add a comment "TODO check the security of this, I have no idea about it". Or "I copy-pasted this security check, but I'm not really sure about how well-written it is". And then that comment usually stays forever.
Attachment:
signature.asc
Description: Digital signature