On 04/26/2014 05:18 PM, Shava Nerad wrote:
Anyone who is lauding the verifiability of open source security software had best show that their code has been regularly and thoroughly audited.
I'm not sure what that means, so I'll start a new paragraph for what could be a non sequitur...
Someone doesn't have to be an active scientist doing peer reviewed research in order to laud the verifiability of the scientific method. Similarly, I don't have to be an active security dev working on peer reviewed software in order to recognize the obvious benefits of the free software approach over proprietary development.
Anyone who wants to ignore those obvious benefits best explain how they would verify a fix for the heartbleed bug if the public weren't allowed to read the code. And what if you didn't trust their description of the fix? What if you, as an expert security programmer, suspected that the proprietary team wasn't using a sane codebase or doing a good job of maintaining it? How would you leverage your skills to improve that proprietary security library?
Compare the time it takes you to respond to the time it took the OpenBSD peeps to do a "git clone" command.
-Jonathan -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
