[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How secure is an installation with with no non-free packages?

Hash: SHA1

Not everyone has to individually audit their own code unless they're
just ridiculously paranoid. It's true that serious bugs can go by
unnoticed. Another example would be that SSL debacle in Debian a few
years back. That thing slipped by without anyone noticing it for years.

I still trust that more people have looked at the GNU/Linux code than
have ever seen most of the closed Intel/AMD code. I also know that
people auditing open code are more likely to point out when
something's wrong than developers working on closed code in a company.
Maybe that's naive but I'm definitely more comfortable with it.

On 09/12/2013 03:01 PM, Jordon Bedwell wrote:
> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts 
> <jperryhouts@gmail.com> wrote:
>> I can't speak to those packages specifically but I think the
>> answer you'll get from most people, especially in this community,
>> is that non-free software is inherently insecure because you
>> can't know exactly what it is doing. Thus, a fully free system
>> such as Debian with only main enabled or Trisquel or so is, in
>> principle, more trustworthy than any system running non-free
>> code.
>> That said, free code can of course have bugs and security holes
>> too. It's probably less likely, with a community of thousands
>> auditing it versus a closed group of developers, but it happens.
> This falls on the assumption that people actually audit the open 
> source software they use, which most of the time is not the case 
> because they have the same mentality you imply you have: "with 
> thousands auditing it, why should I? it must be secure"... by that 
> logic with millions auditing Android we shouldn't have had the 
> recently huge crypto issue in Android right?  You know, the one
> that slipped by for years.  We shouldn't have had several other
> bugs that were years unnoticed in other software.
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Reply to: