Hacker News new | ask | show | jobs
by digital-rubber 4204 days ago
"All of our code is open source and can be reviewed by anyone. This guarantees maximum security."

Can be reviewed doesn't mean has been reviewed. Nor does it imply any quality of review, or the quality of the reviewers itself.

And the knife cuts on two sides, though only one side is mentioned, the one side that should attract users. Not the side, that every evil minded person can look through the source code, abuse it, before we were able to counter/fix etc it.
2 comments
nmjohn 4204 days ago
> that every evil minded person can look through the source code, abuse it, before we were able to counter/fix etc it.

I think this is a worthy application of the phrase It's a feature, not a bug.

Closed source necessitates that the software hasn't been reviewed by independent programmers, only the authors.

Open source, while it doesn't necessitate that the software has been reviewed, it at least provides the potential for it.

link
digital-rubber 4204 days ago
In my opinion, it's misleading to advertise your application/products as 'security guaranteed' because it's open source and _can_ be reviewed.

The fact that something is possible to review, doesn't imply it will actually happen. See recent example issues of software like OpenSSL, Bash etc.

Though personally i don't see any motivation that would make me believe the open or closed choice is the better. They both have risks and costs, which you need to weight and make your choice upon. And most important accept the risks of your choice (, which you can of course try to minimise and should).

Itypo do cheer for any software you can choose to run/host yourself on your own network/hardware. And not be relying on another party to run and/or host it for you. (Which brings the additional security issues you can't control, physical access etc).

link
finid 4204 days ago
> Can be reviewed doesn't mean has been reviewed.

Well, you can't blame them if nobody bothers to review their code.

> Not the side, that every evil minded person can look through the source code, abuse it, before we were able to counter/fix etc it.

The same can be said of any other Free Software/Open source project. the Linux kernel and Apache are prime examples.

link
digital-rubber 4204 days ago
Can't blame them for that indeed. But the fact this is 'how' they guarantee security. Perhaps after years of development, widely usage and actual reviews :-)

And yes this is a valid question whenever somebody considers to use OSS (or for prop. software, how likely chance will be an exploit will be found without source code at hand, and/ or how big of a hole it burns in your budget & wallet).

link