Nobody asked me, but I think David buried the most important point in the middle. I have seen lots of TERRIBLE code written by "engineers from big tech." That's not the key point. The key point is
> the code is in the open and can be scrutinized by millions of people There are thousands (if not millions) of people, ranging from high school code nerds to professional security consulting firms, hoping to make a name for themselves by being the first to spot some vulnerability in Apache, the Linux kernel, etc. That is an incredible free code inspection service. That is the key to the security of open source (IMHO). You can't say that for most in-house software. You all know what corporate culture is like. #1 your boss is not paying you to scrutinize other peoples' code. And #2 if you spot some flaw in Bob's code you keep your head down, because Bob is such a grump and does not take criticism well. And BTW this is coming from someone (me) who is basically a proprietary software guy. I made my money writing conventionally-licensed proprietary software. I have never contributed to an open source project. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of David Crayford Sent: Friday, February 11, 2022 11:39 PM To: [email protected] Subject: Re: Fwd: Log4j hearing: 'Open source is not the problem' On 12/2/22 4:56 am, Radoslaw Skorupka wrote: > Well, who said it is not a problem??? I do. I maintain that proprietary code has just as many vulnerabilities as open source. In fact, I would suggest that open source code is better as the standard of engineer tends to be much higher than your average Joe coder working for a bank. Also, the code is in the open and can be scrutinized by millions of people. Who do you think develops open source software? Is it hobbyists, enthusiasts, students, academics etc? The truth is it's mostly engineers from big tech who are getting paid to develop open source. Check out the authors of Apache Commons components and it's IBMers https://github.com/apache/commons-bsf/blob/master/AUTHORS.txt. IBM were the organization that stumped up the cash and resources to develop Eclipse. A huge amount of Apache open source code is written and maintained by IBM and it's used extensively in their products. > It sounds like "open source is free of bugs". However I have never > heard such claim. Nobody is saying that. That would be ignorant and stupid. All software has bugs. > More: companies use some kind of whitelisting open source software. In > many cases software developer is not allowed to use "fancy, shining > code" just because there some requirements are on met. It can be > community, reputation, maturity, etc. How can a company whitelist open source software if they purchase a product from a vendor or IBM that uses open source? As our products are sold and marketed by IBM we provide them with a Certificate of Originality which is a bill of materials that lists all of the open source software (with versions) that we use. We scan all of our products as part of our DevOps pipeline. There are three types of scans: ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
