> > I don't think anyone would claim that every piece of free software is > automatically more secure than every piece of proprietary software, > because as you say there are many other factors involved.
Nor would I! > > But in your definition of security, you seem to be discounting the > user's ability to verify things for herself, or to commission a 3rd > party to verify things for her. You seem to be treating security merely > as a trust issue, or an "available/obvious/likely exploits" issue. I really think it's just a matter of building something that works, that actually is secure, and I think there are many factors that go into that. Open source can be a great advantage, but not if none of those users actually do go and verify things for themselves. The reality is that none of us have the time to verify the security of all the tools we use, and that's even if everyone had the expertise. We all trust the vast majority of the tools we use as a result. That's not by any means to say that security should be based on that trust - it should be based on peer review, continuous research, and careful coding. All of that takes a great deal of time and often money, however, and poorly funded open source projects usually fall way short because they've got one part of the structure right but not the others. Proprietary software clearly falls way short all the time too. All that said, there's just an astounding degree of cooperation in this community of people devoting countless hours to improving the security of so many tools, and that's certainly to be applauded, but those people are largely fighting an uphill battle because they're underfunded. > > That's a limit on the definition that doesn't work for me. Software that > I can't look at or ask someone to look at is by definition insecure in > one important way. I think the principle of that is great, but in practice we just can't all review all the code all the time. In practice we often end up trusting open source code that is far worse reviewed than much of the closed source code we trust. I'm not trying to attack open source -- I've been writing open source code full time for the past 13 years -- it's what I do. But I don't think we should be delusional about it. > > Your points also doesn't disprove the claim that, if you are designing a > new project that you want to be secure, a free software approach should > be chosen. You should do lots of other things right too, of course, that > have nothing to do with licensing. Totally agreed! It can just be overemphasized amongst the list of factors -- it's a super important one to be sure, but not the only one. -Adam > > -john > > -- > John Sullivan | Executive Director, Free Software Foundation > GPG Key: 61A0963B | http://status.fsf.org/johns | http://fsf.org/blogs/RSS > > Do you use free software? Donate to join the FSF and support freedom at > <http://www.fsf.org/register_form?referrer=8096>. > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- -- Adam pgp A998 2B6E EF1C 373E 723F A813 045D A255 901A FD89 -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
