[clug] Anti-Virus Software

Paul Wayper paulway at mabula.net
Tue Jun 29 05:41:08 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/27/2010 12:39 PM, Daniel Pittman wrote:
> Paul Wayper <paulway at mabula.net> writes:
>> On 06/25/2010 01:16 PM, Kevin Pulo wrote:
>>> On Fri, Jun 25, 2010 at 12:24:41PM +1000, Paul Wayper wrote:
> 
> [...]
> 
>> Open Source Software makes an additional assertion: that everyone can
>> inspect it freely.  This has proven to reduce the chance of really obvious
>> backdoors slipping into the code, and increases the quality of the code
>> because more people see different problems and because shoddy code is
>> exposed quicker.
> 
> Hey, excellent.  I would be really interested, if you could point to them, to
> see the studies that prove that OSS has reduced the chance of backdoors
> getting in, and that it improves code quality.

I'd have to find them :-)  I'm sure there are studies either way, so we could
cherry-pick our results to suit our arguments.

> I am interested, in large part, because the studies I am aware of seem to keep
> coming up with approximately the same bugs-per-line metrics as closed
> software, and so on, so I don't feel comfortable personally making a claim
> that OSS is any better than CSS.

'Bugs-per-line' and many other metrics have never been good ways to measure
security, or even quality.  Microsoft loves to quote "bugs in a standard
install" because most distros install heaps of stuff (e.g. PDF readers,
daemons, NTP servers, etc).  Red Hat and so forth like to point to the number
of critical vulnerabilities in core systems, since that's always higher for
Microsoft.

My claim (let's say) is based on these observations from my own first-hand
experience:

* Developing code that's viewable by others puts a lot of social pressure on
the developer(s) to do the right thing - pride in making something good, and
fear of releasing something shameful.
* Having the source code there to view makes it easier for security
researchers to review and improve it.
* Open Source projects often invite contributions and comments from interested
people while still vetting those contributions.
* FOSS projects are less bound by the constraints of budget, release dates and
advertised claims.  They can release something when its ready, not when
marketing says they should or when the programmer budget runs out.

Sure there are similar claims that closed source software developers make as
to how their development model is better.  But they don't include sharing the
code with everyone.

>> Proprietary software can never make this claim.
> 
> Sure it can; one of the most trivial ways is this:

Ah, well when you say "...they may not be /supportable/ claims..." I think you
shoot yourself in the foot there.  I mean, if we're not fettered by the
shackles of truth or justification then it's rather easy to make any claim we
like.

And all the usual arguments - such as yours, and professionalism and funding
and resources and patents and IP and so forth - have all been put forward to
justify closed source development.  None of them attempt to counter the "all
bugs are shallow" and "security through openness" arguments that are the core
of secure open source development.  To me they seem to try to say "you know,
OSS might have thousands of eyes looking at it and some of the best security
researchers looking at it and be developing in an environment where it's very
difficult to hide a bug not to mention a deliberately exploitable back door,
but we have this special development model that is somehow better than that."

Your criticisms of FOSS projects, while fairly general, are valid.  FOSS
projects - not just the kernel, but a lot of things like SSH, Apache, SaMBa,
iptables et al - all have different development models, different bug
trackers, different commit methodologies and different permissions.  These
things don't often present a convenient or professional public interface.
There's no guarantees that an issue will be noticed, dealt with properly or
resolved.

But closed source _cannot_ claim to make its code available in the way open
source software does.  Closed source _cannot_ claim to be as well scrutinised
by as many people.  Closed source _cannot_ claim a "security through openness"
mindset that dates back the the earlier locksmiths.  Those are the claims that
I am saying that closed source software cannot make, and despite companies
trying to distract us with "oh, we're so good we don't _need_ scrutiny"
arguments they will still never be able to make those claims.

If everything is equal - if there are the same proportion of evil commie
mutant traitor bad guys in the Linux kernel development team as there are in
Microsoft's kernel development team - then the claim still stands.

There are plenty of things to criticise Open Source Software about.  But being
open to inspection isn't IMO one of them.

Have fun,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwp29QACgkQu7W0U8VsXYJrWwCgnmHcQh00cKit9VuVi2bL1Xa+
8GwAoM8VqjClMol1pkr0CWMMPoG8lZ94
=CkfE
-----END PGP SIGNATURE-----

More information about the linux mailing list