this post was submitted on 30 Mar 2024
1551 points (97.7% liked)

linuxmemes

21393 readers
1186 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 1 year ago
    MODERATORS
    you are viewing a single comment's thread
    view the rest of the comments
    [–] oce@jlai.lu 26 points 7 months ago (3 children)

    Crowd sourcing vulnerability analysis and detection doesn’t make open source software inherently more secure.

    It does, because many more eyes can find issues, as illustrated by this story.

    Closed source isn't inherently bad, but it's worse than open source in many cases including security.

    I think you're the only one here thinking publishing PoC is bad.

    [–] prettybunnys@sh.itjust.works 4 points 7 months ago* (last edited 7 months ago) (1 children)

    This is literally how I make my living and this is the only comment I’ve made so I’m not sure where you get the idea I think publishing vulnerabilities and PoC are bad … again I literally do this for a living.

    Finding vulnerabilities and reporting them is literally what pays my mortgage. Open Source, Closed Source, they both have their merits but to say one is inherently more secure because of the reasons you’re specifying is tacitly false.

    My comment is literally only about what you said which pushes a thought that slides to far in one direction. There is a reason no nation state will open source their military hardware.

    [–] oce@jlai.lu 0 points 7 months ago* (last edited 7 months ago) (1 children)

    Then please explain why the reasons specified here are false belong that argument from authority.

    [–] prettybunnys@sh.itjust.works 2 points 7 months ago* (last edited 7 months ago) (1 children)

    I don’t need to repeat myself but that’s all I’d be doing.

    You’re making the argument that open source software inherently does this better and I’m telling you that you’re wrong. I’m going to cite myself, a 20 year veteran in the field.

    It can do it better and often times it does work out this way.

    Closed source software also has value and use and for its own set of reasons could make the argument that it is more secure because of access controls and supply chain management and traditional security mechanisms.

    I think you read what I wrote as a “no you’re entirely wrong” whereas what I said was “you’re asserting things that aren’t true which is weakening the argument”

    Frankly though given the lack of response to what I actually said by anyone I’m just going to rest on knowing in the real world my input is considered valid, here where we’re being fanatics … idk for all you know I’m a bot spewing AI generated drivel.

    Maybe the disconnect here is I’m talking about practical application because of experience vs theoretical application because of ideology.

    [–] oce@jlai.lu 0 points 7 months ago* (last edited 7 months ago) (1 children)

    No I don't think you said I was entirely wrong, that part was clear enough.

    My issue is more with your argument from authority and personal experience. It is very easy to be biased by personal experience, especially when it brings good money.

    access controls and supply chain management and traditional security mechanisms.

    So I'll put my personal experience too (which is also a low value argument). From the outside it may seem this is well done in big companies. But the reality is that this is often a big mess and security often depends on some guy, if any, actually having some standards and enforcing them, until they leave because the company doesn't value those tasks. But since it's closed source, nobody knows about it. With open source, there's more chance more people will look at this system and find issues.
    I don't doubt some ultra sensitive systems like nuclear weapons have a functional closed source security process because the government understands the risk well enough. But I think there are way more closed source systems, at lower danger level but which still impacts people's security, that are managed with a much lower standard than if they were open-sourced.

    [–] prettybunnys@sh.itjust.works 1 points 7 months ago* (last edited 7 months ago) (1 children)

    I do agree that your words are in fact a low value argument. We’ve found common ground.

    Your heart is in the right place but there is nuance you’re clobbering by not being willing to be open minded.

    [–] oce@jlai.lu 0 points 7 months ago (1 children)

    You have provided no valuable argument except "believe my experience", so I am answering with an equally weak one. Provide me some good quality study and I will be happy to change my mind. I recognize this lack of enlightening information is pretty aligned with closed source philosophy.

    [–] prettybunnys@sh.itjust.works 1 points 7 months ago* (last edited 7 months ago) (1 children)

    I think you asking me for “quality study” informs me that I don’t want to talk to you about this anymore.

    I understand ideologically you’re all for open source software (so am I, but you can’t see that) and you believe there is no merit to close sourced software. You believe open source software is inherently more secure and nothing will convince you otherwise and to be honest I just don’t care.

    In the real world your argument falls flat, the ideology is great but practically it doesn’t shake out that way. If you’re incapable of recognizing the merits AND flaws in both systems then I don’t have any desire to continue talking to myself.

    I’ve not at one moment argued against anything other than your narrow view, I am a proponent of open source software and am a contributor to a project I guarantee impacts your life every day. I’m not shitting on open source and never would.

    All of the things you say CAN make it better and many times do. That said it doesn’t inherently make it better and just because you crowdsource doesn’t mean you got it right. There is nuance. Democracy always fails on the idea that 1 Million Voices are smarter than 1, which isn’t always the case.

    Open Source Software ought to be used EVERYWHERE IT MAKES SENSE and not used where it doesn’t.

    The problem is when people make statements that just aren’t true to push for something that can stand on its own without false narratives.

    [–] oce@jlai.lu 0 points 7 months ago

    A lot of straw man arguments. Overall, I think we agree on the value of open source.

    [–] squaresinger@feddit.de 3 points 7 months ago (1 children)

    But this issue wasn't found because of code analysis per se, but because of microbenchmarking.

    [–] oce@jlai.lu 1 points 7 months ago

    That's a good point, but wasn't the micro benchmarking possible, published and analyzed because it is open source? Also the vulnerability analysis, impact analysis and fix can be peer reviewed by more yes.

    [–] summerof69@lemm.ee 2 points 7 months ago (1 children)

    It does, because many more eyes can find issues, as illustrated by this story.

    This story illustrates that some eyes can find some issues. For proper discussion we need proper data and ratios, only then we could compare. How many issues there are in open and closed source software? How many of them are getting fixed? Unfortunately, we don't have this data.

    [–] oce@jlai.lu 1 points 7 months ago

    I think some of this data is actually available for open source projects by scanning public repositories, although it would be a lot of work to collect it.