Hacker News new | ask | show | jobs
by acdha 2088 days ago
Go count how many CVEs have come out for OpenSSL, GNUTLS, LUKS, etc. and ask whether you’re offering helpful advice. Security is expensive and there are no silver bullets: at the end of the day you need a lot of skilled work and being open source doesn’t magically get that for free.
1 comments
ethbr0 2088 days ago
That's apples and oranges.

Counting published vulnerabilities in open source systems vs closed source systems says nothing about the relative true ratio of vulnerabilities.

link
acdha 2088 days ago
Are you seriously claiming that anything short of omniscience is useless? In most fields people deal with incomplete data on a daily basis and this is no different. CVEs don’t tell you everything but they definitely give you more than zero, and more to the point, the many vulnerabilities in open source projects suggests that the very broad but completely unsupported claim I was responding to is based on ideology rather than reasoned analysis.
link
ethbr0 2088 days ago
> the many vulnerabilities in open source projects suggests that the very broad but completely unsupported claim I was responding to is based on ideology rather than reasoned analysis

Does it? In order to claim that, one would have to have some idea of (a) the ratio of disclosed vulnerabilities to true vulnerabilities discovered in both open source, accessible code vs closed source, hardware locked code, and (b) the relative ratios of disclosed vulnerabilities.

Do you have any idea what either ratio might be? 1:1? 4:1? 1:4? 100:1?

link
acdha 2087 days ago
Again, the comment I responded to made an absolute claim but, like you, had no supporting evidence. Unless one of you can produce some evidence it’s hard to support the belief that this is based on data.

If you read the thread, note that I’m not taking a side other than finding it absurd to claim that all open source products are inherently better than all proprietary products with no analysis or data.

link
zaarn 2088 days ago
Unless you know the true ratio, you can't claim that open source projects are better either. Or that one has advantages over the other when it comes to cryptographic security.

I'm not GP and I'm not arguing for either side, just pointing i tout.

link