Open Source is an interesting alternative, which adds the possibility of collaboration and customization in the development of the software, it allows developers to use the code or part of it for their own projects, this naturally offers many advantages. Now, many times I read several clearly wrong opinions about it. OpenSource is more secure and more private than closed source, which is completely false, it is not, it is not the first time that I have discovered Trojans and other malware in OpenSource. It is true that a developer can review the code, although this is not always easy in very complex software with up to millions of lines of code, many also pointing to external scripts, which also require revision. For this reason, many developers do not do it, limiting themselves to changing certain codes to adapt it to their needs or to create their own product. For this reason, security and privacy always depends on the activity of the creator / creators and the corresponding community, if any, to detect possible infiltrations by hackers, who also have access to the code of this software. The normal user, without great knowledge, has no possibility of verification, far from passing the product through VirusTotal or the AV that he uses. You must trust the product’s TOS and PP, in many cases not much better for privacy than other proprietary products. Of course, the free argument is also false, not all OSS is free, it can even have high costs. For this reason, I think that, to maintain the freedom and the great advantages that the OpenSource movement has, to put an end to these mistaken opinions and to make users aware of the real value that this movement has, so as not to lead them to a field of disappointment.
Preferably use OpenSource, but like any other software, avoid blind trust and check the application before using it and above all, importantly, always read the TOS and PP of the product, this avoids many annoyances. Avoid products whithout updates for a long time, which shows a lack of attention on the part of the developer.
free as in freedom, not free as in free beer –clearly undermining the definition of free software here, freeware is rarely OSS
No. Open source is safer than closed source. The correct is: “Open source software is not necessarily safer than closed source software.” On such topics, we need to make a clear distinction between open source/closed source and open source software/closed source software.
How open source is safer than closed source?
It is in the distribution model mostly. Open-source allows 3rd parties to verify and build the binary packages. With closed source you can only trust a single party that the binary does what they claim (and only that).
While of course malware can also be hidden in open-source software, it is much easier to hide it in 1st party distributed binaries that get directly installed by the end-user.
It isn’t really, protecting security and privacy isn’t the main reason of OpenSource. Looking in GitHub, there a FLOSS APIs from Google, Facebook, Amazon and others, which are include in many other FOSS. Privacy is other thing.
Github is a repository for open source code, not the concept of open source itself. As I have said many times before, please do not confuse “open source” with “open source software”.
I agree with you.
That is what I mean “Open source software is not necessarily safer than closed source software.”, not even more privat, because that isn’t the mainly proposit of OpenSource. As I say, it’s preferable to use OpenSource, but for other reasons than privacy and security, because they need the same security measures befor to use them as other soft. That is what is important to make clear to a lot of users. It isn’t valid to say OSS=safety and security, which is wrong, and can lead to deceptions and disrepute. As much as possible I use FOSS, but sometimes there are better alternatives which are proprietary, VPN apart. For Example one of my favorite pages is SSuite, clean and very usefull, and a PP exemplary, but is only Freeware simple. On the other hand I’ve seen OSS with malware or tracking habits for make money with user data, like any other soft.
because they need the same security measures befor to use them as other soft
No they don’t. With open source software I can just read the source code and use the transparently implemented isolation features of most open source operating systems to minimize potential damage. Closed source software I’d have to meticulously reverse engineer to be sure it does what I want and there is no easy way to do this differentially on updates. Some vendors are even impertinent enough to forbid you from reverse engineering the software they provide. Also if I find a vulnerability in an open source software I can just talk to the developers and they usually try to fix it asap, especially in widely deployed projects. And if they don’t I can just apply and publish my own patches or ask the community to do so. With commercial entities security and bug-fixing are just seen as cost factors. Even in supposedly high security fields I have seen software that was engineered to barely meet the compliance requirements for profit optimisation. (Although hanlon’s razor could apply here, I never met the developers lol)
You are developer which can read and prove millon of lines of a simple browser engine? I can’t “just read” it, its a work of a big team if they want to do this. What you say is only valid in small FOSS apps, but not more. On other hand, who do this in a software, only with sporadic maintenance and small community? Most user even don’t read the TOS and PP of an software, less they do this wis the source code. Again, the security and privacy of FOSS depends only of the will and proposit of the developers an the community and in the ability to quickly discover malicious codes leaked in this code, open also for hackers to find security holes. This is valid for all soft, not only for FOSS. Disatended FOSS is a magnet for any kind of malware, I know because of bad experience.
What you say is only valid in small FOSS apps, but not more.
If you want to use bloatware thats your problem.
who do this in a software, only with sporadic maintenance and small community?
The maintainers and users, exactly as with bigger projects.
Most user even don’t read the TOS and PP of an software, less they do this wis the source code.
So if the majority does it it’s suddenly ok? Computing should be about empowering users not about making them slaves to the software.
the security and privacy of FOSS depends only of the will and proposit of the developers an the community […]. This is valid for all soft, not only for FOSS.
But with closed source software the will of the developers is obviously absent and the “community” can only do so much. Especially if they don’t want a lawsuit for violating EULAs. Also the “community” can’t just do their own thing if the developer has a bad attitude, especially once they are in the lock-in trap.
How does that contradict anything I wrote? This could’ve easily been spotted if someone just read the source code. (And it was, because someone did, although automatically) If it was a closed source DLL this wouldn’t have been found that easily.
The point of Free Software is, and has been for the last 40 years, the “four freedoms”:
- The freedom to run the program as you wish, for any purpose (freedom 0).
- The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
- The freedom to redistribute copies so you can help others (freedom 2).
- The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.
Notice there is no promise or guarantee that free software is bug free or has perfect security. Those are not things the free software movement promises. Of course, as a general rule free software tends to be more privacy respecting, because the point of free software is that free software works for the user, not for its developer.
It is correct that a free software license is not a magical shield that prohibits malware or privacy violation, but the free software community in general takes privacy very seriously. Anyone who has been following the Audacity fiasco knows this, and the GNU Free System Distribution Guidelines explicitly prohibit DRM, spyware, or malware.
I use free software because I want to control my technology, not because of any perceived privacy/security benefits.
As for TOS and privacy policy, these apply to network services and are orthogonal to and not a substitute for a free software license. If the software does not make connections to a network service then TOS or privacy policy is irrelevant.
The thing with ‘malware’ in free/open software is that you CAN (or somebody else will eventually) discover it, if such slipped by.
There’s no such choice with closed-source, where the seller/corporation often serves you Trojans intentionally, unknown to you (for data collection), and then even asks you to pay often for such a spyware.
keyword “eventually” many bugs have been around for decades.
That’s not exclusive to open source software.
Im pointing out open source is not magical in this.
Ah, right. That’s correct, of course. Just because more people can find bugs doesn’t mean they will.
are you being sarcastic?
No, why? The probability of people.finding bugs rises as more possibly knowledgeable people have access to the code, but that’s not a guarantee to find all the bugs. See PGP bugs, branch predicition bugs, heartbleed etc.
Basically I agree to what you said initially, some bugs have been around forever in spite of the code being openly available.
My experience is that open source tends to result in a much higher quality of code than closed source projects. The mere fact that the code is in the open tends to be a psychological factor leading people to write better code because they know that lots of people will see it. This difference can also be seen when companies open source projects.
While open source does not guarantee that the code will be more secure, it certainly does help in that regard. When the code is developed in the open it’s a lot harder to sneak in things like backdoors into it. The incentives are different as well since there’s no rush to meet deadlines that often lead to cutting corners. It’s also possible for third parties to audit open source products. The users don’t have to personally do this validation and can rely on the community around the project.
More importantly, I think the real value of open source lies in the fact that it’s not driven by commercial incentives. Let’s say you found a perfect commercial product that addresses your needs. Sooner or later this product will stop working the way you want. Companies need to be profitable to continue existing and that means that their software has to evolve and chase what current fads are, if you didn’t want changes then you’re out of luck. If a company goes out of business you’re also out of luck.
Meanwhile, open source projects can exist on minimal funding, and even when original developers take a project in a different direction the project can be forked. Mate and Cinnamon forks of GNOME are perfect examples of this. If you’re using MacOS or Windows then you’re stuck with whatever MS and Apple decide is best.
I like that this comment doesn’t attack the OP and has valid points in it rather than zealotry. Thank you for your post. I never thought about the psychological factors at play here.
Glad you liked the comment. :)
More importantly, I think the real value of open source lies in the fact that it’s not driven by commercial incentives. Let’s say you found a perfect commercial product that addresses your needs. Sooner or later this product will stop working the way you want. Companies need to be profitable to continue existing and that means that their software has to evolve and chase what current fads are, if you didn’t want changes then you’re out of luck. If a company goes out of business you’re also out of luck.
Nah, there are a lot of open source companies. Also very big ones. There are also many that open source large parts or just some applications. If they do a change that the community doesn’t like, they do a fork.
The discussion is regarding whether the source is open or closed and proprietary. Open source developed by a company is still open, people can still look at it, fork it, and so on. My point was that when a company has a closed source product then you end up with the problems I described.
I agree in part and this is the point which I mean, that the proposit of OSS isn’t in first line security and privacy . Certainly they don’t hav commercial interests (most), but it isn’t the norm, see APIs of great companies, all of them are OpenSource, but with the function to track the user for commercial interests. The philosophy of OpenSource is the ability to share and the develop of software in the interest of the user, but the last can exist also in proprietary soft of small companies or individual devolopers, who offers also a user centred soft without survaillance. A good Exaample is the famous app IrfanView, an excelent image/multimedia viewer and editor (freeware proprietary, which lacks real OpenSource alternatives with the same features . What really should be avoided are the big monopolies as much as possible, it is not necessarily so important that an app is FOSS or not. In general with this article I wanted to refute the many times seen opinion of FOSS = secure and private and closed source = garbage and spyware, which is deeply false and can lead to unpleasant surprises that I have also seen in the past, believing this, costing me a reinstallation of the OS due to an infected OpenSource app. They always require the same security measures before using them as any other soft.
APIs being open doesn’t really mean the definition of open source. The code behind the API has to be available as well. The big difference with actually open code and small companies is that the latter relies entirely on trust.
As a user have to trust the company to do the right thing, and I have no way to verify that they do. There have been plenty of examples over years of companies being exposed putting in backdoors, selling user data behind their backs, doing surveillance on the users, and so on. That’s a fundamentally flawed model for security. With open source the code is visible to everyone and while it’s possible to miss problems in it, it’s a system that facilitates independent verification which is a better starting point.
It’s also worth noting that while small companies often produce decent products, they are also more likely to go out of business than large monopolies. This is also a risk for the user since the software they rely on will stop being supported at that point.
I think closed source software fills a niche, and I use it when there aren’t good open solutions available. However, I prefer not to get invested in such tools and use open solutions when possible.
Wow, you have no idea what you’re talking about.
not all OSS is free, it can even have high costs.
What do you mean by that???
It means that not all OpenSource is also free, it depends on other factors regarding, on the one hand, the will of the author and, on the other hand, the cost of eventual infrastructures, such as servers, hostings, etc. Also some dispositives, like Smartphones can be made OpenSource, not only software, what naturally cannot be free. https://en.wikipedia.org/wiki/List_of_open-source_mobile_phones
Open Source should always be preferred. It has the possibility to evolve into something great. Closed Source Software can stop working at any given time. At any time the behavior, the UI/UX, its “encryption”, its Features can change or require you to pay for it. OSS will always be open Source. If the Developers change or delete a Feature you like, you are able to make a Fork. You and everybody else have the power to make the software that is run to behave the way you like it to run. Everybody could verify that the software does the things its intended to do. Everybody can learn from principals and code of OSS to create a better world.