On 04/26/2014 09:33 PM, Shava Nerad wrote:
Security software isn't like a lot of open source projects. Generally
there have to be narrowly controlled commits, well reviewed. Those
people are experts who may have a lot of other demands on their time
that are far far more monetarily rewarding if the project is
un(der)funded. So they are rare altruists, and we often burn out our
best.
I am not trying to compare these projects to closed source projects. I
am trying to compare them to FOSS hubris.
The idea that we have, that the NGO sector has, that there is inherent
virtue in poverty and inherent evil in gaining enough resources to be
well resourced for the work available.
We need to get over that aspect of this whole thing. Ideally, in my
opinion, we need well organized well resourced groups with less
politics and less fashion-driven ideals. I have no problem with free
software and open source -- I have worked with a number of projects
over the years in various roles. I was the original publicist for FSF.
But if we always are comparing ourselves to closed source projects,
then we are not able to own either our own native strengths or the
vulnerabilities in our own working culture. We glorify doing more
with less to an excess. It's not always appropriate, in extremis, for
every project.
Security projects are at a huge disadvantage in an environment of
impoverished resources. Any one of you should be able to run that
risk analysis. Open or closed, under-resourced projects will be at
greater risk. Period.
We should evaluate how the environment around a project -- funding,
development, research attention, use in greater communities -- leaves
it more or less prone to exploit attention being more likely than
community maintenance.
Because at root (pun possibly intended), some of the balance may be
coming down to the size of the pool of hackers focused on the code
with either intent.
It's a buyer's market out there. I don't make the news. But it does
make me ponder.
This seems like a hard problem, to me. Tell me, what is it that I
misunderstand?
So in a nutshell you want to focus on the word _insufficient_ in the
sentence, "Free software is a necessary but insufficient prerequisite
for secure software." If that's the upshot then I understand and agree
with your focus.
-Jonathan
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at [email protected].
