[kasey_junk]

Minor nitpick. Closed source software is of course audit-able. Being able to audit binaries is table stakes to even call someone an auditor.

There may be many valid reasons to prefer open source software but security audits aren’t one of them.

[Sir_Cmpwn]

I'm gonna take it on good faith that you're not a troll...

Open source software is much easier to audit than closed source software. People have a finite amount of time to do things like audit their software.

[fabrice_d]

But auditing the source is only useful if you can do reproducible builds to be sure you run the audited source.

This is rarely the case unfortunately, and for most of open source prebuilt software you use, you rely on trust and not on audit.

[Sir_Cmpwn]

That's not true. You could always, you know, run the version you compiled yourself.

[kasey_junk]

We’ve known for 30 years that’s not enough (depending on your risk characteristics).

Trusting trust is one of the seminal talks in software.

[Sir_Cmpwn]

We've known that in theory your compiler et al can be backdoored but in practice we can feel a lot safer compiling our own software than using proprietary binaries.

[kasey_junk]

I think that might be where we disagree. Without a competent security audit I think you are falling back to trust.

Open Source vs Closed source is not where I or the security professionals I know put most trust emphasis. I would enthusiastically trust something closed from Google over a rando open source project.

But back to the original point, even the most basic audit steps are the same on an open source project vs closed one. Observe what the binary does & inspect it for standard patterns.

[gjjrfcbugxbhf]

There are different types of audits. Yes someone doing a full security audit is going to be happy with doing reverse engineering. But I can perform a quick check on a lot of the software that I use that it doesn't do user hostile things (like ring home on startup) this is harder to do on a binary - so given the choice I'll use the open source option.

[kasey_junk]

For those kind of checks why would you look at the source? Stick a proxy between the internet and the device to see what it does.

Seems waaaay easier than looking for the mythical badCodeGoesHere function.

[gjjrfcbugxbhf]

Because I can trivially read and run code in my head I do that all day. I don't have a clue how to set up a proxy. Also my scan over the code tells me if it is generally badly writtes and a lot more than just one example of potential bad behaviour.

[kasey_junk]

You are more prepared to run arbitrary code “in your head” than setup a simple network proxy?... uh huh

[gjjrfcbugxbhf]

Yeah. As a developer the former is literally the $dayjob. The latter - I've never done so it could be simple or it could be hard. I've heard that getting software to respect proxies is tricky though...

[kasey_junk]

So um. I'm a developer and the idea that I could take an arbitrary code base and get it into my headspace in less time than it would take me to figure out a programs network interactions is one of the most absurd things I've ever heard.