On 7/16/15 12:49 PM, alan@clueserver.org wrote:
On 7/16/15 11:44 AM, grarpamp wrote:
On Thu, Jul 16, 2015 at 1:55 PM, Shelley <shelley@misanthropia.org>
wrote:
On July 16, 2015 10:24:23 AM "Stephen D. Williams" <sdw@lig.net> wrote:

On 7/16/15 7:51 AM, Georgi Guninski wrote:
On Tue, Jul 14, 2015 at 10:02:31AM -0700, Stephen D. Williams wrote:
In a lot of ways, this is an elegant solution and could arguably be
much more secure than desktop apps in Windows.  Assuming your
Lol, is this positive or negative argument?

it can hardly be less secure than windoze imho.
Cypherpunks + Windows, what do you think?
It's making me break out in hives, stop it!  :p

*shudder*
The bazillion lines of effectively unaudited code in opensource
kernels and software should have the same effect upon you.
I personally have audited quite a bit of FOSS (and enough spot checkers
can get pretty good coverage), but not one line of
proprietary Microsoft, Oracle, or Apple code.  Your fears may be
misplaced.
Large companies regularly scan their open source (and proprietary code)
with Black Duck's ProtexIP software. That product shows if code is
"borrowed" from other places.  They also have open source tools that do
similar things.

The idea that open source is filled with stolen code is FUD.



"Stolen code" isn't really an issue most of the time, but can be legally if a lot is used in a way that conflicts with a license.  Reusing code snippets is, to a large extent, not really a copyright issue and often fair use or use of something that isn't really protected by copyright.  In any case, it is a legal issue separate from the security implications.

The FUD in question is whether there are security problems of some kind lurking in code, and whether it is easier to compromise a binary when you have source to start with.  The flip side is that it is easier to hide back doors in code that has limited access to source code.  Security mistakes, deliberate malware, and detection are possible in both cases, but in different ways, with different numbers of actual or potential people looking and with different likelihood of active positive or negative collusion.

sdw