OK, but I'm guessing you still use an OS that has regular security updates of bugdoor-equivalent vulnerabilities? So the point remains, right? There would be no penalty for getting caught shipping a bugdoor.
I don't follow, having the source available would eliminate that - but what difference does it make if it's reproducible? To be clear, I believe having the source available - whether the vendor is trusted or not - is beneficial to security.
-
-
If there is, say, a N-factor overhead to working with decompiled binaries rather than source, and projects ship with efficiently reproducible source code — then P0 finds N times as many bugs in the same amount of time, for any project that has open source. That seems good.
-
OK, but let's separate out these components. There are two parts, There's the source code which we both agree has benefits. Then there's things like seeds for -frandom-seed. What is the benefit to Project Zero of the second?
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.