-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I still don't see why this should make me trust closed code more. For all I know Intel's code is full of lines like that, or worse.
On 09/12/2013 03:15 PM, Jann Horn wrote: > On Thu, Sep 12, 2013 at 05:01:09PM -0500, Jordon Bedwell wrote: >> On Thu, Sep 12, 2013 at 5:01 PM, Jonathan Perry-Houts >> <[email protected]> wrote: >>> I can't speak to those packages specifically but I think the >>> answer you'll get from most people, especially in this >>> community, is that non-free software is inherently insecure >>> because you can't know exactly what it is doing. Thus, a fully >>> free system such as Debian with only main enabled or Trisquel >>> or so is, in principle, more trustworthy than any system >>> running non-free code. >>> >>> That said, free code can of course have bugs and security holes >>> too. It's probably less likely, with a community of thousands >>> auditing it versus a closed group of developers, but it >>> happens. >> >> This falls on the assumption that people actually audit the open >> source software they use, which most of the time is not the case >> because they have the same mentality you imply you have: "with >> thousands auditing it, why should I? it must be secure"... by >> that logic with millions auditing Android we shouldn't have had >> the recently huge crypto issue in Android right? You know, the >> one that slipped by for years. We shouldn't have had several >> other bugs that were years unnoticed in other software. > > Exactly. There's a bunch of simple-to-spot mistakes in open source > software because nobody actually reads the source. Android has/had > a bunch of such mistakes for quite a while: Reuse of IVs in a block > cipher, simple filesystem races, missing input sanitation, missing > delimiters... a lot of this is really simple stuff that anyone > reading the code should be able to spot. > > Often, coders who don't have a lot of experience with security just > write their code and maybe add a comment "TODO check the security > of this, I have no idea about it". Or "I copy-pasted this security > check, but I'm not really sure about how well-written it is". And > then that comment usually stays forever. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSMj7+AAoJEGe6xJ1FYRpRzEIH/2IOcUgMg3d604IidmhW7zEJ l11eDFwEbmspr1j/wnPW5ToAoiMSMrccYkpE2cR+4MVurejxy0sDxQ9E8SDXs4OV KcvDOSHMAFdT9PwTJIC4N+I9v/G+7UrpfPf43U0Ju+r8dwpDpnXS38gzgJoRQaYz aXYiaq67JgonxLwjibArAqarswA61aGpnglgtIKWgcoApQ2yjhm3bmqYEfNe4Uyr dtfwMxQg25QOlBNyJGKKL5aZSD5Qfa9tvGtvUBB4cpJDJTqy6VY0R9rtNxwPb1f0 5ul64oi+kofdFMtmyKtCRLQQzQ0xftG4mm2L47WzMGYT/N5Rmr8p9AsXPn3Cvq4= =iDdS -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
