this post was submitted on 02 Nov 2023
18 points (87.5% liked)

Open Source

31095 readers
491 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

There are some people won't touch anything to do with open source projects as they feel it might have issues with security. What does open source actually do for security or change how it works?

you are viewing a single comment's thread
view the rest of the comments
[–] beyond@linkage.ds8.zone 5 points 1 year ago* (last edited 1 year ago) (2 children)

It doesn't really. In theory more eyes on the code means more chance for a security bug to be found, either by white hat researchers or black hat exploiters. In practice this doesn't really pan out; not only are most free software projects small hobbyist endeavors, but even large free software projects with many eyes on them, such as OpenSSL and curl, have had critical security vulnerabilities over the years. When it comes to security issues, having the right eyes on the code matters more than having many eyes.

The original promise of free software, the four freedoms, is all it guarantees. In my opinion this is enough to prefer free software over proprietary.

[–] JustEnoughDucks@feddit.nl 2 points 1 year ago (1 children)

Isn't your OpenSSL and curl points proving the opposite? Every program will have vulnerabilities and they had critical security vulnerabilities that were found and fixed.

But yes, I agree that 95% of open source projects have absolutely 0 security testing. Might not matter for some embedded applications, but it matters a great deal for public facing container plugins for example. Then again, most closed source software also hasn't been pen tested.

[–] ZenFriedRice@lemmy.ml 1 points 1 year ago

Good point, finding a security vulnerability is a success not a failure.