[OJFord]

I don't know what the bystander effect is, but I assume we're taking about the same thing: I often feel that everyone is, along with myself, thinking "great - open source! I'm sure someone's checking it."

Of course, the counter is that if you publish it you don't risk that someone actually is checking.

Open beats closed, but we must be careful not to think it immediately makes the code sound.

I've been thinking about this particularly recently in relation to Monzo, the will-be bank. There's no web app and slow progress on the android front. Lots of open source effort though, since they publish an API, but... That's my bank account I'm (not) giving open source developers access to.

[rhizome]

but we must be careful not to think it immediately makes the code sound

nobody is saying it's automatically sound, but open is the only option that makes any security analysis possible.

[OJFord]

> open is the only option that makes any security analysis possible

I'm not disputing that. Let me repeat myself:

> Open beats closed

All I'm saying is that it doesn't stop there. Too often there's this complacent 'great, it's open source!' - I'm as guilty of it as anyone.

[rhizome]

You're begging the question.

[OJFord]

Pardon?

[FabHK]

> open is the only option that makes any security analysis possible.

Many people are disputing that, and I'm getting around to that view. Closed doesn't mean you have nothing, it means you have the binaries, which you can disassemble and analyse. With open, you have a bit higher level language, which you have to analyse, plus then you have to show that the binaries correspond to it.

[BuuQu9hu]

> open is the only option that makes any security analysis possible.

Generations of crackers and security researchers have proven that incorrect. There are plenty of tools for dealing with compiled programs.