Hacker News new | ask | show | jobs
by splithalf 1916 days ago
Ars seems to be calling all open source software insecure. I’m not saying they are wrong but what’s the value in their article? Is it gotcha journalism, or are they warning us not to trust bsd based systems in general. The article starts as a gotcha piece but concludes by saying there’s no review in place to catch these problems.
2 comments
Voline 1916 days ago
This is just incorrect. Nowhere in the article does the author, Jim Salter, generalize about all open source software. When someone in the comments did make that leap, Salter pointed out that if these had been closed-source projects the bad code would have been put into production and no one would have known better.
link
splithalf 1916 days ago
You’re right. I misread the original to be general criticism of open source, but the author made his statement specific to FreeBSD release 13.

“Neither Netgate's responses, FreeBSD Core's, nor the off-record responses we heard from independent FreeBSD community members lead us to believe that there was in fact any process in place that could reasonably have been expected to catch this issue prior to it going out into the world in 13.0-RELEASE”

But it would help if he made it clear why he felt this criticism was specific to FreeBSD release13. It sounds to a naive reader like a critique that could apply to much of open source software. The author didn’t say that, but it’s a reasonable extrapolation to make.

link
ehvatum 1916 days ago
> Ars seems to be calling all open source software insecure

> The article starts as a gotcha piece

Haha, that’s the problem. You, Netapp, value saving face so very much that you are incapable of constructive response to well-meaning, fair, and honest criticism.

link
splithalf 1916 days ago
Not netapp and I don’t use or endorse their products. I just don’t like angry mobs or journalism that uses angry mobs as a business model. Too much anger and retribution in the world, not enough forgiveness or compassion. If this code was up for review for months and nobody noticed the printf debugging code in the crypto then I’m sorry but blaming this one bad person seems gratuitous to me, and shortsighted. Are concludes the article by saying this is a bsd/open source problem. How does that help anyone?
link