this post was submitted on 02 Nov 2023
18 points (87.5% liked)

Open Source

30206 readers
260 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
18
How does Opensource change how Security work? (kbin.run)
submitted 10 months ago by SamXavia@kbin.run to c/opensource@lemmy.ml
23 comments fedilink hide all child comments
 

There are some people won't touch anything to do with open source projects as they feel it might have issues with security. What does open source actually do for security or change how it works?

you are viewing a single comment's thread
view the rest of the comments
[–] PrecisePangolin@lemmy.ml 14 points 10 months ago (1 children)

In my opinion it makes a project even more secure. Many eyes are able to inspect the code and review it for known and unknown vulnerabilities. It is a cat and mouse game anyway, you might as well broadcast all the flaws in hopes of people catching them and helping to fix them.

[–] SamXavia@kbin.run 3 points 10 months ago (1 children)

@PrecisePangolin Thanks, this explains it really well.

[–] otter@lemmy.ca 11 points 10 months ago* (last edited 10 months ago) (1 children)

I think the argument is usually

If bad people see the code, they can spot vulnerabilities and exploit them

But I that's not really how it works because it doesn't cost anything to try an exploit. People generally aren't going to look through the code to try and spot a weakness when they can just run an automated thing to attempt common vulnerabilities. Open source, closed source, bad code will fail the same.

I see it as a lock. With open source, you know how the internal mechanism is supposed to work and you can judge how secure it is. With closed source, someone says "trust me" and doesn't show you how the inside works. It could just be a "if something metal is inserted, unlock the system".

Ultimately the best thing is to look for open source software that's been audited. If no one has checked the FOSS code, then you don't actually know it's safe. Once that's happened, best of both worlds.

One other concern might be "if it's open source, then everyone can see my password!"

Which is just... wrong

[–] otter@lemmy.ca 3 points 10 months ago

Oh and in practice, companies might pick a closed source paid product over a free and open source one.

But it's not the product, it's the legal/financial agreements. Companies like to externalize the risk instead of taking it on themselves. They like being able to sue someone if things go wrong.

The other company might be running the FOSS software too. They're taking on the responsibility.

Oh and finally, a lot of open source products and protocols are used by closed source companies.

ex. Signal protocol is used by Facebook for some things