[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How secure is an installation with with no non-free packages?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I still don't see why this should make me trust closed code more. For
all I know Intel's code is full of lines like that, or worse.

On 09/12/2013 03:15 PM, Jann Horn wrote:
> On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote:
>> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts 
>> <jperryhouts@gmail.com> wrote:
>>> I can't speak to those packages specifically but I think the
>>> answer you'll get from most people, especially in this
>>> community, is that non-free software is inherently insecure
>>> because you can't know exactly what it is doing. Thus, a fully
>>> free system such as Debian with only main enabled or Trisquel
>>> or so is, in principle, more trustworthy than any system
>>> running non-free code.
>>> 
>>> That said, free code can of course have bugs and security holes
>>> too. It's probably less likely, with a community of thousands
>>> auditing it versus a closed group of developers, but it
>>> happens.
>> 
>> This falls on the assumption that people actually audit the open 
>> source software they use, which most of the time is not the case 
>> because they have the same mentality you imply you have: "with 
>> thousands auditing it, why should I? it must be secure"... by
>> that logic with millions auditing Android we shouldn't have had
>> the recently huge crypto issue in Android right?  You know, the
>> one that slipped by for years.  We shouldn't have had several
>> other bugs that were years unnoticed in other software.
> 
> Exactly. There's a bunch of simple-to-spot mistakes in open source
> software because nobody actually reads the source. Android has/had
> a bunch of such mistakes for quite a while: Reuse of IVs in a block
> cipher, simple filesystem races, missing input sanitation, missing
> delimiters... a lot of this is really simple stuff that anyone
> reading the code should be able to spot.
> 
> Often, coders who don't have a lot of experience with security just
> write their code and maybe add a comment "TODO check the security
> of this, I have no idea about it". Or "I copy-pasted this security
> check, but I'm not really sure about how well-written it is". And
> then that comment usually stays forever.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSMj7+AAoJEGe6xJ1FYRpRzEIH/2IOcUgMg3d604IidmhW7zEJ
l11eDFwEbmspr1j/wnPW5ToAoiMSMrccYkpE2cR+4MVurejxy0sDxQ9E8SDXs4OV
KcvDOSHMAFdT9PwTJIC4N+I9v/G+7UrpfPf43U0Ju+r8dwpDpnXS38gzgJoRQaYz
aXYiaq67JgonxLwjibArAqarswA61aGpnglgtIKWgcoApQ2yjhm3bmqYEfNe4Uyr
dtfwMxQg25QOlBNyJGKKL5aZSD5Qfa9tvGtvUBB4cpJDJTqy6VY0R9rtNxwPb1f0
5ul64oi+kofdFMtmyKtCRLQQzQ0xftG4mm2L47WzMGYT/N5Rmr8p9AsXPn3Cvq4=
=iDdS
-----END PGP SIGNATURE-----
Reply to: