Re: How secure is an installation with with no non-free packages?

To: debian-security@lists.debian.org
Cc: adrelanos <adrelanos@riseup.net>, debian-security@lists.debian.org
Subject: Re: How secure is an installation with with no non-free packages?
From: Jonathan Perry-Houts <jperryhouts@gmail.com>
Date: Thu, 12 Sep 2013 15:12:42 -0700
Message-id: <[🔎] 52323C5A.7020406@gmail.com>
In-reply-to: <[🔎] CAM5XQnxKLL3F4YGiLjHB_hccc4u8u+qBQ=T=Obu6fLyvDrs5Bw@mail.gmail.com>
References: <[🔎] 523234F5.1090002@riseup.net> <[🔎] 523239B3.7090702@gmail.com> <[🔎] CAM5XQnxKLL3F4YGiLjHB_hccc4u8u+qBQ=T=Obu6fLyvDrs5Bw@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not everyone has to individually audit their own code unless they're
just ridiculously paranoid. It's true that serious bugs can go by
unnoticed. Another example would be that SSL debacle in Debian a few
years back. That thing slipped by without anyone noticing it for years.

I still trust that more people have looked at the GNU/Linux code than
have ever seen most of the closed Intel/AMD code. I also know that
people auditing open code are more likely to point out when
something's wrong than developers working on closed code in a company.
Maybe that's naive but I'm definitely more comfortable with it.

On 09/12/2013 03:01 PM, Jordon Bedwell wrote:
> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts 
> <jperryhouts@gmail.com> wrote:
>> I can't speak to those packages specifically but I think the
>> answer you'll get from most people, especially in this community,
>> is that non-free software is inherently insecure because you
>> can't know exactly what it is doing. Thus, a fully free system
>> such as Debian with only main enabled or Trisquel or so is, in
>> principle, more trustworthy than any system running non-free
>> code.
>> 
>> That said, free code can of course have bugs and security holes
>> too. It's probably less likely, with a community of thousands
>> auditing it versus a closed group of developers, but it happens.
> 
> This falls on the assumption that people actually audit the open 
> source software they use, which most of the time is not the case 
> because they have the same mentality you imply you have: "with 
> thousands auditing it, why should I? it must be secure"... by that 
> logic with millions auditing Android we shouldn't have had the 
> recently huge crypto issue in Android right?  You know, the one
> that slipped by for years.  We shouldn't have had several other
> bugs that were years unnoticed in other software.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMjxZAAoJEGe6xJ1FYRpRBh8H/2AnDaFqMwQiyHyrTczh7kjF
HBd7M9bloNu9Vn+Ch2s79ofQBcLZ61y+bxau4D8cb/sWEpjBHdfzfJ6xGFWntlBL
NCsEuXOI7out+s0xxIsIRtXGjlS7riY2vnr9CCLsy2mgeN62DFkgzrg907jwI0Cz
onEdC3P1hDRZ9g8WkF/oozWTX4IEl+eberE6tAQeO95Cf0r7FWDQe7lvoj2+PTVE
zgrChcEb7pW/aKh9NbrZNIjET/Zu9X/xPxE3LujYfu6nDfvXBCemNFL+BJ72IL7W
fT9wY6iFCynKxPkhS2NhN9qF8E0R1wNpP3FQ07QSzEjMUsVTECmDAy9zSEi+l8E=
=Tyg6
-----END PGP SIGNATURE-----

Reply to:

References:
- How secure is an installation with with no non-free packages?
  - From: adrelanos <adrelanos@riseup.net>
- Re: How secure is an installation with with no non-free packages?
  - From: Jonathan Perry-Houts <jperryhouts@gmail.com>
- Re: How secure is an installation with with no non-free packages?
  - From: Jordon Bedwell <jordon@envygeeks.com>

Prev by Date: Re: How secure is an installation with with no non-free packages?
Next by Date: Re: How secure is an installation with with no non-free packages?
Previous by thread: Re: How secure is an installation with with no non-free packages?
Next by thread: Re: How secure is an installation with with no non-free packages?
Index(es):
- Date
- Thread