Debating OSS: Yubico OpenPGP bug "was NOT detected by any audit of the source code", well not competent ones...https://twitter.com/AsherLangton/status/731190908041842688 …
too many for tweets, re first one I find it indelicate to point that a bug was found not because of OSS and use it as justification
-
-
when that specific bug was a clear sign of the vendor not auditing their code...at all, because that bug was so easy to find...
-
Exactly. So instead of opening YK4 source,
@Yubico should make transparent their _security practices_. -
Had they been clear about Neo applet being untested 3rd party code then we would have known it couldn't be trusted.
-
But opening all of their code does nothing to help us decide if it's good or not. Only verification can do that.
-
I disagree, it helps and it doesn' hurt...it might contribute 0 worst case but certainly it doesn't hurt technical interests
-
I am just disappointed with the slow migration to a different model based on commercial concerns rather than technical
-
and the apparent mismanagement of at least 2 security bugs in my mind, again I find the all != OSS dissertation as indelicate
-
I am not against OSS. I just don't want people to assume OSS == more secure. Assurance can be built without opening source.
- 15 more replies
New conversation -
-
-
Not justification to go closed, but explanation as to why going closed doesn't impact security assurance as much as thought.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.