> I still maintain that source availability is irrelevant. Say you run a > piece of closed-source software for years and years. Then one day see the > source, and find tons of holes in it. Was it more secure before you saw > the source? No. it is still the same program, with the same holes. You > just never knew about them before... and here's the kicker: you're > *really* hoping no one else knew about them either. Given the option, i'd > rather not run systems like that.
Let's regroup and consider an example that follows the discussion being held here. I am a General in the military protecting a fortress. It is my job to keep the treasure in the inner keep safe. Am I more secure by keeping my building plans to myself, or by letting outside experts, who I have no control over, review the plans for me? Naturally, it is entirely possible for an attacker to get his hands on my plans even if I don't release them (e.g., because of an internal spy or, oh I don't know, if an angry employee posts them on the Internet). It is also possible that one of the outside experts is actually a future attacker. Which is better? Is it always better?
