Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: Is Open source software development more secure?

  1. #11
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    VicC > interesting link. I'm going to post some of the myths they bring up here:

    Myth: Publicly releasing open source code will attract flurries of patches and new contributors.

    Reality: You'll be lucky to hear from people merely using your code, much less those interested in modifying it.


    Myth: New developers interested in the project will best learn the project by fixing bugs and reading the source code.

    Reality: Reading code is difficult. Fixing bugs is difficult and probably something you don't want to do anyway. While giving someone unglamorous work is a good way to test his dedication, it relies on unstructured learning by osmosis.


    Myth: Installation and configuration aren't as important as making the source available.

    Reality: If it takes too much work just to get the software working, many people will silently quit.


    Myth: Even though your previous code was buggy, undocumented, hard to maintain, or slow, your next attempt will be perfect.

    Reality: If you weren't disciplined then, why would you be disciplined now?


    Myth: Users don't mind upgrading to the latest version from CVS for a bugfix or a long-awaited feature.

    Reality: If it's difficult for you to provide important bugfixes for previous releases, your CVS tree probably isn't very stable.


    These are only a few of the points brought up in the article VicC posted (for those of you who didn't read it) and are all valid arguments. I'd say anyone who hasn't taken a peek at it already probably should.


    qod > I agree. Waiting for a fix from a closed source vendor is a pain. Open source projects are indeed nice since you can get fixes from multiple sources, or even do it yourself. I would throw the quality of the code being pushed into question however. If you are getting fixes from others I would make doubly sure that the code you're getting is safe to run, and verify that it fixes the problem and doesn't compromise the functionality of the system elsewhere. Depending on the scope of the problem it is possible for educated users to fix something themselves. Also depending on the issue this could open other holes due to a less than thorough understanding of what is being done or the system as a hole. If these projects had a thorough set of automated test scripts (and some do) to run for regression testing purposes I think I'd feel a bit better.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  2. #12
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I personally think there's not a lot in it.

    Being a web developer, I've seen a lot of web application source code - closed source as well as open source.

    While it's true that the security of the application depends very much on the methodology and technology, I don't think whether it's open or closed makes a great deal of difference.

    I've seen the same lame bugs come up again and again, in open and closed source alike, SQL injection for example.

    There have been ample SQL injections in M$'s web application code (typically using ASP), and quite a lot also in open source stuff, like phpbb.

    I think that some OSS projects though, like Linux, have extremely high standards.

    Linux is one of the best ones, unfortunately nearly every else (OSS and otherwise) is a long way behind. REALISTICALLY, in many OSS projects, there are only a few developers, and they rarely, if ever, review one anothers' code.

    In most cases, it's possible to get into an OSS group merely by sounding enthusiastic and competent. It's commonplace to hand out CVS commit access to total strangers.

    Of course, Linux is an extreme example, its hierarchical peer review system ensures that every piece of code is either written by, or approved by, someone who Linus trusts a lot, and in most cases has met.

    Slarty

  3. #13
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Ah yes, the good old OS vs CS discussion. Don't worry, I'm not here to rain on parades, hehe...

    Open Source pros - easier to create stable environments because you have the masses to report issues, improve, optimize and trim down code, and have faster response times for fixes because there's forums for just about everything OS-related.

    Open Source cons - you have no idea where your code's going, you have to make sure it's held together by something like Sourceforge so all official work is tracked, you want to ensure there's one 'stable' release tree in CVS as well as multiple 'development, try on your own' trees that are not mixed, people can alter it at will and never tell you, and of course, bugs can be found and exploited and never reported but that's harder to do because if one finds it and never tells, another will find it and probably will tell.

    Closed Source pros - easy to maintain one official release of code with all sorts of legal jargon meant to scare people who wish to 'decompile' the code and figure out how it works, one central location will house the source code ensuring physical security, and overall is easy to maintain.

    Closed Source cons - everything relies on the developers actually FIXING something that's reported. Many times I've seen bugs go ignored for weeks because the developers are too swamped with work on other issues. This isn't good. In OS you can SEE a fix, improve upon it, actually fix it if it's not working up to par, etc. You can't do this as a CS program user. Begging, pleading, cussing out, flaming, etc will be useless because developers respond to those about as much as game developers respond to forum questions concerning release dates. Then you have the one developer who really gives a **** and tries to respond and once the masses see this person as wanting to help, they immediately flood him/her with "Fix this, fix that, this is broken, this needs help", etc. Not to their fault, but because they have someone that's TALKING to them. Companies with closed source generally have VERY tight rules on what's said relating to their product, especially concerning new releases, bug fixes, and the like. Customer support is an inherent problem, as you can see. Companies like MS "say" something's fixed, but because we have no way of knowing whether it's true, we have to TRUST them, and since it's been proven time and time again that other issues have popped up, etc...it becomes a lesson in futility and one I'd like to stay away from.

    IMHO, I'm all for Open Source. I've worked on 3 MUDs and the open-source nature of it has allowed people to see my work, offer improvements, etc. We all learned to share in kindergarten, so why not pass that along to the real world of programs? Sure, there are people out there that do nothing more than exploit bugs, create problems, and overall abuse the entire system, but the general populous is a "Do the right thing" group and that's where your benefits go to as well as come from. Closed source offers certain things that Open source can't....but the benefits from OS, IMHO, far outweigh these few things.

    OS for life, baby!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •