| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by BoringCode 3241 days ago
	Many open-source projects simply don't have the resources to adequately test their products or provide support. Contrast this with a large company which has the resources and the willpower to provide support for their software. Often the best of both worlds is a large company/organization that dedicates its resources to an open-source product, but that's not always the case. But this issue is never as black and white as "open-source is more secure." There are many other factors that go into the security of a product beyond its source code being readable. Deciding which factors matter largely depends upon your unique threat model.

1 comments

cwyers 3241 days ago

I'm not sure about "a large company/organization that dedicates its resources to an open-source product" being the best of both worlds. I mean, maybe narrowly defined, sure. But take one of the better examples of the form, Chrome/Chromium. I'm not sure that a world where we get a free web browser that is used to funnel us all into an ad-driven model powered by an incredible surveillance apparatus is strictly better than a world where we all have to buy our web browsers. There's tradeoffs all the way down. Open source coexists well with some revenue models and doesn't with others, and the revenue models that best coexist with open source have some very significant downsides in terms of how they don't align the interests of the business with that of its users.

BoringCode 3241 days ago

I am concurring with you. The point I'm making is that it's a matter of resources and trust, not literal "open source" that matters.

If I trust an organization to put the resources towards properly auditing their software, that's often far more important then whether or not I can personally do an audit. The majority of people and organizations do not have the time or technical skills to properly evaluate software. Whether the software they use is open-source won't ultimately matter.

The "many eyes" argument often falls apart because most of the time there simply aren't that many eyes dedicated to a project. What is the practical difference between Microsoft hiring 100 people to perform security audits and an open-source project that has 100 volunteers? Resources and trust. If you trust the open-source project to dedicate resources to security, and their software fits in your threat model, then use it. Or the inverse, if you don't trust MS and their software doesn't fit: avoid it. The vast majority of the time open-source vs closed-source should not be the main differentiator, but rather a smaller element of an informed decision.