Hacker News new | ask | show | jobs
by oblio 1287 days ago
> It's that there's a large developer community and security researchers who have access to the code who will collectively read it all. Of course this isn't a guarantee that there are no security flaws.

Yeah, about that, I'm as much of an Open Source buff as anyone, but:

> Analysis of the source code history of Bash shows the Shellshock bug was introduced on 5 August <<1989>>, and released in Bash version 1.03 on 1 September 1989.

[...]

> The presence of the bug was announced to the public on <<2014-09-24>>, when Bash updates with the fix were ready for distribution, though it took some time for computers to be updated to close the potential security issue.

Especially older Open Source software tends to have maintainers that haven't adopted modern software development practices so we're back to square one, since most of this older software is foundational technology, like Bash.
1 comments
michaelmior 1287 days ago
I'm not sure I understand the concern. I don't think it's at all unlikely that there are such long standing bugs in closed source software that's been around the same amount of time. We might just never hear about it or those bugs might never be found. Of course, I have no proof that's the case, but I'm not convinced that finding longstanding bugs in open source software is evidence of inferior quality (this is what you seem to be implying, but I may be mistaken).
link
oblio 1287 days ago
> but I'm not convinced that finding longstanding bugs in open source software is evidence of inferior quality (this is what you seem to be implying, but I may be mistaken).

I'm not implying inferior quality, I'm implying no correlation.

There was a very strong assumption from back in 1999, that "lots of eyes make all bugs shallow", with a focus especially on security.

In reality, there's no correlation.

You need those eyes to actually be looking at stuff proactively, you want automated scans, you want modern software development practices and CI/CD pipelines, you want those eyes to actually be qualified to look at what they're looking correctly, etc.

Just putting stuff out there and assuming "people will look at its insides" is a bad assumption.

Open Source in my experience is not inherently superior from a security perspective to proprietary software.

link