[Cryptography] Would open source solve current security issues? (was "Re: EFF amicus brief in support of Apple")

Perry E. Metzger perry at piermont.com
Wed Mar 9 14:52:18 EST 2016


On Sun, 6 Mar 2016 22:51:25 -0500 "Kevin W. Wall"
<kevin.w.wall at gmail.com> wrote:
> When Eric S. Raymond originally published his epic the "Cathedral
> and the Bazaar" in 1997, his whole premise of:
> 
>     Given enough eyeballs, all bugs are shallow.
> 
> sounded quite plausible and many thought it was almost a guaranteed
> certainty.
> 
> Since that time, almost everyone believe that there was at least
> one underlying fallacious assumption of that premise, namely that
> if source was open and available for examination, then it would in
> fact have "enough eyeballs" viewing it to make a difference in
> software quality. Since the almost 19 years since Raymond first
> published CatB, we have come to realize that they just isn't that
> many people actually LOOKING at the source code. So, no eyeballs
> means that open source generally as actually worse than closed
> source, because in most open source projects, there is not
> *separate* QA team to write and perform integration and system
> level testing.

I'm going to subtly disagree, in several ways.

First, and less importantly, modern software development practice no
longer has separate QA teams. These days, most reasonable places do
things like TDD and tests are written by the dev team itself.

Second, and much more importantly, the issue is "what kind of bugs?"
Although it does indeed seem true that bugs that the users notice and
cause them day to day trouble are shallow in open source systems,
because they are irritants to the user community, *security* holes are
a different sort of beast. Those require systematic audits, because
they are generally bugs that are tickled only in extraordinary
circumstances.

I think open source has produced really good results over time. I also
have very little evidence that the security of closed source systems
is better -- see, for example, the record of Microsoft Windows.

What we're talking about here is something different -- which is
whether users are (in general) better off with systems that prevent
them from running software that has not been vetted by a trusted third
party. That is to say, many people seem to be getting a benefit from,
in effect, paying Apple to vet all their applications for them.


Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list