Hacker News new | ask | show | jobs
by stonogo 1797 days ago
How many people can authenticate a dollar bill? How many people can validate a cryptographic signature? How many people can direct a blockbuster action movie?

The point is, right now, nobody can audit these things. Once someone -- anyone! -- can, everyone else can benefit.
2 comments
cassianoleal 1797 days ago
There's also the matter of traceability.

Even if there is no direct audit of the code, once a vulnerability is discovered it can be traced back to the person(s) who introduced it.

With a closed system, only the owner of the source code history can do that. With open source, any person in the world can, and can start a discussion to understand whether it was malicious or not, if the person(s) should be banned from pushing code, new code security standards to be adopted, etc. You lean on the world's expertise at that point.

Bad things happen. It's important to have the ability to understand why and mitigate for the future.

link
pjmlp 1797 days ago
Nope, it can be traced back to a random nickname on the Internet, using a computer somewhere in the globe.
link
cassianoleal 1797 days ago
That may be so, but it's usually been through code reviews, pull requests and whatnot - which means a maintainer somewhere has approved that code.

In any case, "a random nickname on the Internet, using a computer somewhere in the globe" is a lot more information than none.

Finding out that that's the case for a given project is part of traceability.

link
pjmlp 1797 days ago
How do ensure it wasn't a malicious maintainer?

That information is meaningless if traces back to an empty room.

link
cassianoleal 1796 days ago
If the project has a malicious maintainer, it's easier to find out if it's in the open - and either forcing change or not using the project at all. It's impossible to do that when you have no access to that information in the first place.

It's not perfect but it's something vs nothing. I'll take something every time.

link
pjmlp 1796 days ago
How do you track down a malicious maintainer, introducing a back door slowly during one year long, a little change at a time, given how long CVEs in OpenSSL have been unnoticed as example?
link
Traf444 1797 days ago
I guess you have never had commit rights to any Linux distribution or such?

You don't get commit rights as a random person, so yes, a commit can usually be traced back to a person. Sure, the committer could have received a patch from a unknown person, but then he's still responsible for the commit.

link
pjmlp 1797 days ago
I guess you are a security expert that knows how every single FOSS project that might be used as dependency works.
link
Traf444 1796 days ago
That's not what I tried to say. It's up to you as a user to make due diligence and make an informed decision if you want to use the software or not.

Any serious project would have some form of web of trust and know who has commit rights. It's up to you to decide if you trust their web of trust.

I guess from your comments that you are not actually interested in contributing to the discussion since you just sprout single line comments with no information at all.

link
pjmlp 1796 days ago
I contribute with experience instead of FOSS ideology absent from how things actually work.
link
zimpenfish 1797 days ago
>How many people can authenticate a dollar bill? [...] nobody can audit these things.

USGOV has a pretty comprehensive guide on how to validate them:

https://www.uscurrency.gov/sites/default/files/downloadable-...

link
manquer 1796 days ago
There is also plenty of documentation and books to learn coding and start auditing if you want to.

Fake validation is less like coding as to catch a really well made fake you would need years of experience seeing all sorts of fakes , while coding needs only experience to see what is good code to able to catch most issues

link
zimpenfish 1796 days ago
> coding needs only experience to see what is good code to able to catch most issues

If that were true, the software industry would have a much smaller problem re: bugs and errors than they currently do.

link
manquer 1796 days ago
Less bugs would be there if the industry wanted it and paid for it.

Sadly the problem is good enough is how the industry sees everything, constant cost cutting , off shoring or replacing senior talent with fresh graduates , inadequate focus on security, debt is all too common, unless/until something affects bottomline there is no pressure.

link
stonogo 1796 days ago
Please note the entire absence of the dollar bill from that document.
link
zimpenfish 1796 days ago
> Please note the entire absence of the dollar bill from that document.

A fair point. I took "dollar bill" to be the generic "US currency" rather than specifically "the $1 bill". But this page covers everything from $1 to $100 (although it seems the $1 and $2 have barely any.)

https://www.uscurrency.gov/denominations/

link