an ominous comment

Stephen D. Williams sdw at lig.net
Fri Jul 17 07:21:57 PDT 2015


On 7/16/15 12:49 PM, alan at clueserver.org wrote:
>> On 7/16/15 11:44 AM, grarpamp wrote:
>>> On Thu, Jul 16, 2015 at 1:55 PM, Shelley <shelley at misanthropia.org>
>>> wrote:
>>>> On July 16, 2015 10:24:23 AM "Stephen D. Williams" <sdw at lig.net> wrote:
>>>>
>>>>> On 7/16/15 7:51 AM, Georgi Guninski wrote:
>>>>>> On Tue, Jul 14, 2015 at 10:02:31AM -0700, Stephen D. Williams wrote:
>>>>>>> In a lot of ways, this is an elegant solution and could arguably be
>>>>>>> much more secure than desktop apps in Windows.  Assuming your
>>>>>> Lol, is this positive or negative argument?
>>>>>>
>>>>>> it can hardly be less secure than windoze imho.
>>>>> Cypherpunks + Windows, what do you think?
>>>> It's making me break out in hives, stop it!  :p
>>>>
>>>> *shudder*
>>> The bazillion lines of effectively unaudited code in opensource
>>> kernels and software should have the same effect upon you.
>> I personally have audited quite a bit of FOSS (and enough spot checkers
>> can get pretty good coverage), but not one line of
>> proprietary Microsoft, Oracle, or Apple code.  Your fears may be
>> misplaced.
> Large companies regularly scan their open source (and proprietary code)
> with Black Duck's ProtexIP software. That product shows if code is
> "borrowed" from other places.  They also have open source tools that do
> similar things.
>
> The idea that open source is filled with stolen code is FUD.
>


"Stolen code" isn't really an issue most of the time, but can be legally if a lot is used in a way that conflicts with a license. 
Reusing code snippets is, to a large extent, not really a copyright issue and often fair use or use of something that isn't really 
protected by copyright.  In any case, it is a legal issue separate from the security implications.

The FUD in question is whether there are security problems of some kind lurking in code, and whether it is easier to compromise a 
binary when you have source to start with.  The flip side is that it is easier to hide back doors in code that has limited access to 
source code.  Security mistakes, deliberate malware, and detection are possible in both cases, but in different ways, with different 
numbers of actual or potential people looking and with different likelihood of active positive or negative collusion.

sdw

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3606 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20150717/fc784c59/attachment-0002.txt>


More information about the cypherpunks mailing list