| > I don't trust people who are more code-savvy than I am (that's most people) not to insert or exploit weaknesses in open-source software or other open code That applies to closed-source software as well. With (popular) open-source software, on the other hand, you can be confident that "people who are more code-savvy than you are" can examine the code for inserted weaknesses. Existing vulnerabilities can and with be exploited if there's an incentive to so so, regardless of whether or not the source is available. > With closed-source software, I know the origin point of the software I install, I know the names of the individuals or teams who developed it That seems like the exception, rather than the rule. Consider browsers, for example. I can see exactly which people have commit access on the open-source Firefox or Chromium projects. When it comes to a closed-source browser such as Microsoft Edge, on the other hand, I only know that "the Edge team" develops it. I have absolutely no idea who is currently on this team, or the quality of any individual member's work. > and therefore I know who stands behind it, because their reputation is based on that released software working This doesn't mean that closed-source software is intrinsically less vulnerable than open-source software. Microsoft's reputation may be based on Windows working, but that didn't stop WannaCry - nor will it stop future exploits. > If something goes wrong, I can take clear action because I know who is to blame, e.g. Vivaldi, Microsoft, etc. Realistically speaking, what action can you take, besides switching to other software? > With open-source software, that liability for the software developer is thus offloaded to "the community" You're conflating open-source software with software developed solely by the community. Many open-source projects, such as Chromium, Firefox, and Linux, do have specific organizations that are either involved or responsible for their development. Closed-source software only gives you an opaque team or organization to blame, while open-source software can give you a specific commit - diff, date, and author. > Too many people can see it Direct access to the code may make finding vulnerabilities easier, but as shown by the number of security vulnerabilities in well-known and well-funded closed-source projects (Windows, iOS, etc), it will not stop determined attackers from finding and exploiting them. > too many people can make changes
How many is "too many"? If you're referring to the number of people with commit access, then you're almost never be able to know that number for closed-source software. If you're referring to the number of contributors, then it's not much different from trusting the core development team in the first place. Regardless of where the code originally comes from, you're trusting the maintainers to be able to recognize bad and/or vulnerable code, whether done accidentally or maliciously. > and it's happening way too fast Do you have a specific project or projects in mind here? This seems very similar to the issue of "too many people can make changes" - you can only make an informed guess, at best, as to the development rate of closed-source software. Unlike open-source software, you can never know exactly how many changes went into a particular release. |