[dismalaf]

Realistically there's no reason government can't use open source software and open formats especially.

Last time I had to fill out a government form in Canada, it was a PDF that only opened in the Windows desktop version of Adobe Acrobat... Even the Android version couldn't open it. Super annoying and completely unnecessary.

Edit - I don't even care if they keep their server code proprietary. But just use free formats, save our taxpayer money on stuff like Windows and Office licenses, and make it easy for citizens to interact with them. I'd even rather they hire some more local devs than send money out of the country.

[NotOscarWilde]

> Realistically there's no reason government can't use open source software and open formats especially.

> Last time I had to fill out a government form in Canada (...)

Without any evidence, let me argue why maybe it shouldn't. In the past, a common opinion that I have heard is that open source is more secure because all the code is out in the open.

The recent xzutils backdoor attempt [1] kind of led me to believe it's not really true, it's only true if many good-actor eyeballs, which are willing to donate their time for public benefit, are on the code.

Almost all of the government's code that I interact with are web apps that are potential targets of foreign adversaries -- tax filing web apps, prescription + vaccination scheduling web apps, family benefit applications, and more. (This is not in Czechia, but close.)

Now, would I want to read that web app code? Not at all, I couldn't care less about it. However, foreign adversaries would love to immediately start analyzing it. Extracting the entire country's health data or tax data would be a goldmine.

And even though there probably are several people actively paid to maintain security of these systems, I feel that the foreign adversarial agents would be much more motivated (and better paid) than government employees/software developers.

You could make a opt-out for national-security purposes for the code, but I feel almost all the code a government works on would have such an impact when compromised.

[1]: https://en.wikipedia.org/wiki/XZ_Utils_backdoor

(Disclaimer: I am a huge supporter of open source in general, contributed to the Linux ecosystem in the past and in my current job as an academic, almost everything I do is available out in the open in some way or another.)

[dismalaf]

Microsoft has literally been hacked multiple times by Russia in the last few years. Our government lost hundreds of thousands of CRA (tax agency) credentials to hackers and had to lock millions of accounts. Other agencies have also been breached.

Meanwhile the XZ backdoor was found in Sid, Arch and pre-releases of Fedora and openSuse. It never actually made it into any numbered release of Fedora, openSuse, Ubuntu, Debian, Red Hat or Suse distro. It's actually a pretty big win and the system worked as intended.

Open source and Linux are doing just fine security-wise.

Also, none of this has anything to do with using offline tools like a word processor to make documents.

[dralley]

>Meanwhile the XZ backdoor was found in Sid, Arch and pre-releases of Fedora and openSuse. It never actually made it into any numbered release of Fedora, openSuse, Ubuntu, Debian, Red Hat or Suse distro. It's actually a pretty big win and the system worked as intended.

I would maybe not go quite that far. That it got caught was mostly a confluence of lucky breaks and accidents. The second version of the exploit would likely have not been detected if not for the fact that the first version of the exploit had a couple of programming mistakes that attracted some attention to itself.

[dismalaf]

The entire thesis behind the open source security model is to have lots of eyes on the code/program, since more eyes = more likelihood of catching it. Even if you say it's accidental, let's say the odds of catching it are 0.00001. Repeat that enough times and you get 1.

It was caught before any distro released with it. The system worked.

[dralley]

If one of the Debian or Fedora developers had immediately caught on to what they were looking at when their attention was drawn to it by the failures, I would say the system worked. It's certainly true that open source saved the day here, but that's maybe different from saying "the system" worked. It easily could have gone unnoticed, or been noticed a few weeks later.

[dismalaf]

It could have also been noticed earlier. Maybe it was luck it was detected so late?

[switknee]

The xz backdoor was caught before anyone used it. This is typical of open source backdoors, but atypical of proprietary ones. History is full of proprietary software with backdoors which were discovered after years or decades of being actively used. Lotus notes, RSA corporation, Cisco routers, Juniper switches, Huawei everything.

We have more or less immutable history of every change leading to every release of open source software. Any backdoors you previously created under an identity could burn that identity forever. That history is not available for proprietary software. If someone adds a backdoor in proprietary software for two years and then removes it in later versions, it's totally likely it'll never be noticed.

Thinking that open source software is at greater risk of being backdoored is akin to thinking most trees in the world grow along the road, just because you drive everywhere and have never been inside a forest.

[lordnacho]

Every country already has a special government agency that deals with keeping stuff protected. In fact you tend to think the people who know most about this are in government, don't you?

And it's not like there haven't been vulnerabilities found in proprietary software, despite them paying people to keep things safe.

[jniles]

Crowdstrike is a recent example that comes to mind. I don't see how paying for CrowdStrike made it more secure or reliable.

I would also argue that you could take all the $$ paying for proprietary software and contribute it to people who are making the open source software, making the reliance on "free" eyeballs less of an issue.