[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How secure is an installation with with no non-free packages?

Hash: SHA1

I still don't see why this should make me trust closed code more. For
all I know Intel's code is full of lines like that, or worse.

On 09/12/2013 03:15 PM, Jann Horn wrote:
> On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote:
>> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts 
>> <jperryhouts@gmail.com> wrote:
>>> I can't speak to those packages specifically but I think the
>>> answer you'll get from most people, especially in this
>>> community, is that non-free software is inherently insecure
>>> because you can't know exactly what it is doing. Thus, a fully
>>> free system such as Debian with only main enabled or Trisquel
>>> or so is, in principle, more trustworthy than any system
>>> running non-free code.
>>> That said, free code can of course have bugs and security holes
>>> too. It's probably less likely, with a community of thousands
>>> auditing it versus a closed group of developers, but it
>>> happens.
>> This falls on the assumption that people actually audit the open 
>> source software they use, which most of the time is not the case 
>> because they have the same mentality you imply you have: "with 
>> thousands auditing it, why should I? it must be secure"... by
>> that logic with millions auditing Android we shouldn't have had
>> the recently huge crypto issue in Android right?  You know, the
>> one that slipped by for years.  We shouldn't have had several
>> other bugs that were years unnoticed in other software.
> Exactly. There's a bunch of simple-to-spot mistakes in open source
> software because nobody actually reads the source. Android has/had
> a bunch of such mistakes for quite a while: Reuse of IVs in a block
> cipher, simple filesystem races, missing input sanitation, missing
> delimiters... a lot of this is really simple stuff that anyone
> reading the code should be able to spot.
> Often, coders who don't have a lot of experience with security just
> write their code and maybe add a comment "TODO check the security
> of this, I have no idea about it". Or "I copy-pasted this security
> check, but I'm not really sure about how well-written it is". And
> then that comment usually stays forever.
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


Reply to: