19
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 Nov 2023
19 points (88.0% liked)
Open Source
31830 readers
239 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
It doesn't really. In theory more eyes on the code means more chance for a security bug to be found, either by white hat researchers or black hat exploiters. In practice this doesn't really pan out; not only are most free software projects small hobbyist endeavors, but even large free software projects with many eyes on them, such as OpenSSL and curl, have had critical security vulnerabilities over the years. When it comes to security issues, having the right eyes on the code matters more than having many eyes.
The original promise of free software, the four freedoms, is all it guarantees. In my opinion this is enough to prefer free software over proprietary.
Isn't your OpenSSL and curl points proving the opposite? Every program will have vulnerabilities and they had critical security vulnerabilities that were found and fixed.
But yes, I agree that 95% of open source projects have absolutely 0 security testing. Might not matter for some embedded applications, but it matters a great deal for public facing container plugins for example. Then again, most closed source software also hasn't been pen tested.
Good point, finding a security vulnerability is a success not a failure.