Hacker News new | past | comments | ask | show | jobs | submit login

OpenSource is a vulnerability not an Asset according to #5.

For small projects which few contributors I would agree but, for projects as large as OpenWRT and DDWRT and such, I don't agree.




In an ideal world, whether code is open source is neutral. The extra ease of finding bugs is balanced by the fact that people can and do find then fix them. Theory says that these two are, to first order, equivalent. So end user security is the same. (But code quality tends to be higher with open source software.)

However whenever code moves towards being more open, you've got all of the vulnerabilities of closed source software, and all of the bug-finding ease of open source software. This is the worst of all possible worlds.

Therefore #5 is true. The fact that you have easy access to known-to-be-crappy code increases the vulnerability of that code.


"Code quality is higher on open source"

<sarcasm> Right, because somehow people not being paid to work on code right better since they are doing it for their pride, where as closed source people just lose their jobs if they write crappy code</sarcasm>

Open Source with wide adoption leads to bugs being fixed.

Closed source security through obscurity leads to exploits being only known by those exploiting them. Not a good thing.


Just curious, but wouldn't this indicate that open source code which allow iterators to close off their improvements would produce less vulnerable code overall?


If a vulnerability is found in open source code, people will try it on yours. So they won't be finding it directly in yours, but that is not protecting you.

The real consequence is that how secure a product is depends more on the project than on whether it is open source. Apache and OpenBSD are two examples of very good open source code. Java and Rails are two examples of not so good open source code.

Google's website is an example of good closed source code. The software shipped by Linksys is an example of bad closed source code.


I get that there are different levels of quality regardless of the type of code. I was more interested in the security effects of hiding code after the open source community has had a chance to deal with vulnerabilities. None of the examples you gave were specific to code which has transitioned between open to closed.

What I've gotten from your answer so far is that it isn't an effect which is general, and it'll depend on the project in question. Am I on the mark?


Yes. Opening closed code is always going to be problematic. But closing opened code can go either way.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: