On Monday 09 July 2018 at 22:10:03, Hendrik Boom wrote:
> On Tue, Jul 10, 2018 at 01:12:58AM +1000, terryc wrote:
> > On Mon, 9 Jul 2018 16:48:34 +0200 Alessandro Selli wrote:
> > > "Since the beginning of the git era (the 2.6.11 release in 2005), a
> > > total of 15,637 developers have contributed to the Linux kernel;
> > > those developers worked for a minimum of 1,513 companies."
> > >
> > > And this lists only those developers and companies who contributed
> > > to the official code; it does not list security auditors or
> > > developers/companies who work on custom versions of the kernel.
> >
> > The statement that started the claim was first made by ESR.
> > The rebuttal is all the security holes that have been found in the code
> > in various applications through out the Linux Epoch.
>
> I'm not at all convince that the security holes constitute a rebuttal.
> Methings they could equally be evidence that having all those eyes on
> the kernel source code is weeding out such security holes. After all,
> do we know how many security holes are detected by no one reading kernel
> code?
I would look to Microsoft Windows for this.
Quite a number of security holes have been discovered in versions of MS
Windows over the years, and I'm pretty certain that the vast majority were
discovered by people with no access to the source code.
It's often commented that closed-source software has more bugs &
vulnerabilities in it because the developers think "no-one's going to see
this, so no-one's going to find the bugs" whereas open source developers know
that anyone can see the mistakes they make, so they pay more attention to not
making them.
Whether that's true or not is hard to determine, but for me the mere discovery
of so many problems in MS Windows by people with no access to the source code
tells me that bugs and security holes will be found, given sufficient incentive
(eg: the overwhelming number of Windows PCs on the planet), whether the source
is open or not.
Thus (coming back to the original argument) I find it hard to believe that
backdoors and similar deliberate insertions of suspicious code wouldn't have
been found by people responsible enough to publicise what they discover, given
that it's clearly possible to do, either with access to the source code or
without.
Antony.
--
"I find the whole business of religion profoundly interesting. But it does
mystify me that otherwise intelligent people take it seriously."
- Douglas Adams
Please reply to the list;
please *don't* CC me.
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
