On Mon, 2018-02-05 at 09:39 -0800, Jens Alfke wrote:
> > On Feb 5, 2018, at 9:21 AM, Drago, William @ CSG - NARDA-MITEQ <Wil
> > liam.dr...@l3t.com> wrote:
> > The reliable part is easy because there is enough information on
> > the SQLite website about testing, but what about security?
> Open source software is more secure than closed source, since the
> source code can be reviewed and audited.
It is considered more easy to verify, sure. But there are still some
1. How do you know the source you're looking at is what you're running?
2. How do you know the source you're seeing is compiled correctly? Look
at the buglists for common (*cough* gcc *cough*) compilers.
3. How do you know the CPU you are running on is running the code
correctly and that it is secure? Common microprocessor vendors have
hundreds of errata for chips still being sold.
The only way to know what code is doing is to trace it on the target
hardware. We don't need source code for that. And even that could be
misleading if the hardware is broken or deliberately subverted.
> (In the security field, closed-source cryptographic software isn’t
> even taken seriously since it’s not possible to verify its claims,
> just as scientific results need peer review and independent
That is true but perhaps closed-source cryptographic _algorithms_ are
the issue and not source code. And this is just for reference
implementations... you can still verify exactly what you have without
source code. It just takes more effort and personally I believe it's
I don't believe RSA or IBM or any of the other vendors have open
sourced any crypto code. I think what typically happens is when they
come up with a new standard they produce a reference implementation and
then after the contest is over they implement whatever they implement
and everybody just uses it.
> I don’t know if this will convince your IT management though, because
> if they’re against open source they must be remarkably backward...
I don't think that is necessarily so. Many companies want/need to be
able to point fingers when something goes wrong. And they need to get
their systems working ASAP. The vast majority of open source projects
have no accountability, they're free as in beer and as long as it works
for the guys spending their time writing it they're done. Companies
(especially publicly owned and traded companies) really can not rely on
freebies and goodwill if they want to stay in business and keep their
executives out of jail. Open source quality is atrocious. Sure, a lot
of closed source quality is atrocious too. Free stuff should be
expected to be worth price paid and most of the time it is not even
sqlite (and fossil!) are wonderful, wonderful projects. But there is a
sea of unsupported garbage out there and nobody who wants to keep their
job can feel safe wading through that. There is also the issue of viral
contamination of GPL, etc.
I think Dr. Hipp did everything right but even so, he is in the tiny
sqlite-users mailing list