just saw this article and thought it raises important trust issue mostly about forks.
four years to find issues](https://www.zdnet.com/article/open-source-software-security-vulnerabilities-exist-for-over-four-years-before-detection-study/)
1 Like
How many years to find issues in closed source? Bet you half a dollar it is a much longer time, than four years.
8 Likes
MS : Open source is evil, Linux is a cancer !
MS : Wait, no⌠we love open source projects !
MS : See ? we bought github, now we are in control of numerous open source projects integrity
MS : Lets make stats about open source projects to show how shitty they are, but⌠to improve them ! (thx to zdnet for the contribution)
Next step : security layer offered by MS ? no thx.
The problem is not about open source or forks, itâs about complexity of the computer tool
There are lists of vulnerabilities found older than 10 years in both open and closed sources
4 Likes
what ?
who is to say that the ones doing the security audits immediately report on issues they find ?
might be a case with > https://protonmail.com/blog/eu-attack-on-encryption/
1 Like
just gives me a greater belief in Purism as its so young and dedicated not some bloated monolith like Ios or MS
I think people see what they want to see. As has been addressed time and time again here, open source is not some magic cure all, and never will be.
It all boils down to trust for 99.9% of the worldâs population.
For 99% its belief, not trust, trust can afford only those who understand the risks
This isnât about trust though. This is about the practical matter of how long it takes to spot a bug (in open source software), and how much longer that time is than the time to fix it once it is spotted.
The researcher has a clear conflict of interest and perhaps that ought to be declared. Regardless though, letâs take the research at face value - and take it as an opportunity to do better.
Obviously the best vulnerability is the one that didnât exist in the first place i.e. higher quality, defect-free code to start with.
This isnât really a comparison of âclosed sourceâ v. âopen sourceâ. None of us will ever be able to spot a bug in Microsoftâs closed source software, not in the lifetime of the universe. The article presents no data for closed source software, Microsoft or otherwise.
In some respects it is easier to find a bug in open source software. It then comes down to whether the finder is black hat or white hat. That attracts security researchers to open source software, as a more productive exercise. That doesnât mean that closed source software is defect free. It just means that security researchers are less likely to find bugs in closed source software. Security researchers are assumed to be white hat. However black hats are out there, no doubt keeping their closed source software vulnerabilities to themselves, for exploitation or monetization.
oddly enough itâs been canceled already ⌠sighs - as most things about âconspiracyâ theories lately (entire snooptube channels being shut down for no good reason)