These are completely conflicting opinions: 1) Closed source software with no obfuscation and all compiled code accessible in a controlled environment is substantially harder to audit 2) Publishing sources doesn't make it substantially easier for attackers to find vulnerabilities
...with open source you get a considerable amount of audit for free just by eyes dealing with building/bug reports/porting.
-
-
Whenever someone reports a program not working with musl, I almost always run across significant source level bugs while investigating.
-
Most open source projects are developed by only a couple people are rarely if ever have anyone else looking at more than an API. It's not really helping defenders to have tens of millions of GitHub repositories.
-
For example, do you think it would be good or bad for your security to put all of your dotfiles without credentials on GitHub? You might have a glaring security hole in your configuration. Someone might point it out to you so you can fix it, or someone might exploit it.
-
Attackers often don't have a lot of resources. You might just make a troll angry on IRC or Twitter and they look through your profiles, GitHub repositories, etc. and find a mistake in a configuration file or some plugin / script you made that lets them exploit you.
-
Whether it's a net benefit is based on how helpful the sources are (very helpful for C, ridiculously helpful for C++, negligible for Java) and whether people actually end up using the sources to make the software more secure / robust (not the case for 99% of projects).
-
Rust sources are perhaps even more helpful than C++ sources since the code has so many layers of simple abstractions designed to be reliably stripped away by trivial compiler optimizations and they default to LTO (C++ abstractions are harder to strip away).
-
Definitely believe that open source software *can* get security benefits from being open source (and popular projects *often* do) but not really that it's harder to find a backdoor if you only have the machine code.
-
People need to think more about what a backdoor would look like, even just one made by 1 person that's relatively smart. Not talking about the leftover debugging code that often gets called a backdoor but something genuinely malicious.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.