Debating OSS: Yubico OpenPGP bug "was NOT detected by any audit of the source code", well not competent ones...https://twitter.com/AsherLangton/status/731190908041842688 …
I understand reasons for not going OSS, however I don't like poor claims and incorrect justifications (https://www.yubico.com/2016/05/secure-hardware-vs-open-source/ …)...
-
-
...that just hide the real reasons.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Which were the poor claims? Easier if you point to specifics in the article (it's quite long).
-
too many for tweets, re first one I find it indelicate to point that a bug was found not because of OSS and use it as justification
-
when that specific bug was a clear sign of the vendor not auditing their code...at all, because that bug was so easy to find...
-
Exactly. So instead of opening YK4 source,
@Yubico should make transparent their _security practices_. -
Had they been clear about Neo applet being untested 3rd party code then we would have known it couldn't be trusted.
-
But opening all of their code does nothing to help us decide if it's good or not. Only verification can do that.
-
I disagree, it helps and it doesn' hurt...it might contribute 0 worst case but certainly it doesn't hurt technical interests
-
I am just disappointed with the slow migration to a different model based on commercial concerns rather than technical
- 17 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.