|
|
|
|
|
|
by michaelmior
1288 days ago
|
|
|
> stop pretending you can read a hundred million lines in your life time. For me, and I assume most others, it's not that we expect to read all the code ourselves. It's that there's a large developer community and security researchers who have access to the code who will collectively read it all. Of course this isn't a guarantee that there are no security flaws, and you still have the pipeline problem of ensuring the binaries you get actually come from the code you think they do. But all else being equal, I think open source provides a significant level of threat mitigation. Even if you fully trust Apple not to intentionally back door anything, there's far fewer eyeballs on their code. Given that access to source code also has the potential to reveal security holes that may have gone unexploited, there of course a tradeoff here too. |
|
|
Yeah, about that, I'm as much of an Open Source buff as anyone, but:
> Analysis of the source code history of Bash shows the Shellshock bug was introduced on 5 August <<1989>>, and released in Bash version 1.03 on 1 September 1989.
[...]
> The presence of the bug was announced to the public on <<2014-09-24>>, when Bash updates with the fix were ready for distribution, though it took some time for computers to be updated to close the potential security issue.
Especially older Open Source software tends to have maintainers that haven't adopted modern software development practices so we're back to square one, since most of this older software is foundational technology, like Bash.