There are some people won’t touch anything to do with open source projects as they feel it might have issues with security. What does open source actually do for security or change how it works?

  • @[email protected]
    link
    fedilink
    English
    131 year ago

    In my opinion it makes a project even more secure. Many eyes are able to inspect the code and review it for known and unknown vulnerabilities. It is a cat and mouse game anyway, you might as well broadcast all the flaws in hopes of people catching them and helping to fix them.

      • Otter
        link
        fedilink
        English
        11
        edit-2
        1 year ago

        I think the argument is usually

        If bad people see the code, they can spot vulnerabilities and exploit them

        But I that’s not really how it works because it doesn’t cost anything to try an exploit. People generally aren’t going to look through the code to try and spot a weakness when they can just run an automated thing to attempt common vulnerabilities. Open source, closed source, bad code will fail the same.

        I see it as a lock. With open source, you know how the internal mechanism is supposed to work and you can judge how secure it is. With closed source, someone says “trust me” and doesn’t show you how the inside works. It could just be a “if something metal is inserted, unlock the system”.

        Ultimately the best thing is to look for open source software that’s been audited. If no one has checked the FOSS code, then you don’t actually know it’s safe. Once that’s happened, best of both worlds.


        One other concern might be “if it’s open source, then everyone can see my password!”

        Which is just… wrong

        • Otter
          link
          fedilink
          English
          31 year ago

          Oh and in practice, companies might pick a closed source paid product over a free and open source one.

          But it’s not the product, it’s the legal/financial agreements. Companies like to externalize the risk instead of taking it on themselves. They like being able to sue someone if things go wrong.

          The other company might be running the FOSS software too. They’re taking on the responsibility.


          Oh and finally, a lot of open source products and protocols are used by closed source companies.

          ex. Signal protocol is used by Facebook for some things