jodiendo,

I read somewhere (who knows if it is true) that one US government agency had ~1,000 full time analysts who look for bad code to be used for potential exploits. Assuming other countries have something similar, in numbers alone, the free (and open) software movements would need similar thousands--full time equivalent--doing similar work and making fixes, rather than cataloging and saving exploits for later.

This approach does not involve "trust", which is what you asked about, but may well work better than trust. Just use plain old "overwhelm" and make the opposition's work more and more expensive and more and more difficult to justify and sustain.

The problem with trust is that while it ought to be "earned", the world is full of good guys and bad guys and corruptions within both groups who do not make the accounting easy or fair.

Ideally "they" want to dispense trust or safety or privacy; to bless it, to control it, which in turn gives them an indirect control and status over all people who "need" to believe in those issues. And many people are ok with, and even welcome, a scenario of "letting someone else do it", so that kind of trust system works, but doesn't really deliver what it promises.

It takes "work" to accept and deal with trust issues, poor security, and the loss of privacy. Making the work harder is that there is no end point; the work is never finished, it is an ongoing process as they say...because good guys and bad guys keep figuring out new methods to accommodate their ends and needs.

Personally I am still waking up to this reality and have difficulty accepting it. I have noticed it however and that is a start.

There has been a compelling myth that freely readable software code has many eyes constantly checking and improving it. That myth must die today and no longer be recognized as "real". From now on, it needs to become real.

How to develop a real system of code checking that overwhelms the opposition would be helpful. How to arrange that? At this time, I do not know. There must be a way however.

Reply via email to