There are some people won’t touch anything to do with open source projects as they feel it might have issues with security. What does open source actually do for security or change how it works?

  • Captain Beyond@linkage.ds8.zone
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    It doesn’t really. In theory more eyes on the code means more chance for a security bug to be found, either by white hat researchers or black hat exploiters. In practice this doesn’t really pan out; not only are most free software projects small hobbyist endeavors, but even large free software projects with many eyes on them, such as OpenSSL and curl, have had critical security vulnerabilities over the years. When it comes to security issues, having the right eyes on the code matters more than having many eyes.

    The original promise of free software, the four freedoms, is all it guarantees. In my opinion this is enough to prefer free software over proprietary.

    • JustEnoughDucks@feddit.nl
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Isn’t your OpenSSL and curl points proving the opposite? Every program will have vulnerabilities and they had critical security vulnerabilities that were found and fixed.

      But yes, I agree that 95% of open source projects have absolutely 0 security testing. Might not matter for some embedded applications, but it matters a great deal for public facing container plugins for example. Then again, most closed source software also hasn’t been pen tested.