home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] what are the "five myths about open source"?

  • Subject: Re: [OCLUG-Tech] what are the "five myths about open source"?
  • From: "Robert P. J. Day" <rpjday [ at ] crashcourse [ dot ] ca>
  • Date: Tue, 28 Jun 2011 11:31:14 -0400 (EDT)
On Tue, 28 Jun 2011, Jean-Francois Messier wrote:

> Given my background in IT security, one of the myths I saw about
> OpenSource (at least in large corporate offices) is that it is less
> secure and dangerous. Because of the other myths previously
> mentioned, IT security people who only work in the closed source
> world see the OpenSource as a threat, as the inside of the software
> is revealed, and thus, anyone can insert some trojan or malware.
>
> Actually, OpenSource is more secure, as if one does not trust a
> compiled program, he/she can recompile from source, and perform a
> full source code inspection, which cannot be performed on closed
> programs. It took a lot of efforts for US government and then other
> governments to get their hands on Windows source code, invoking
> national security. Even then, what the consumer/user gets is a
> closed program.

  i've been thinking about this more since it appears i might be
helping to *write* this article and i'm not sure i can fit this into
an equivalent sound bite but here goes.

  of course it's useful to have the source for any program so that, if
you're sufficiently paranoid, you can line-by-line check the source.
but as i'm sure many of you know, this argument seems to have less
effect than we would have guessed.  however, these days, it's not just
the source code that one has access to.

  in *many* cases, one has access to the actual version control
repository of a lot of these projects, and that's an amazingly useful
thing in the sense of being able to see not just the current source
but its progress over time, including the commits, their exact
content, their rationale, the committer and so on.  i think this is
far more useful than just access to the source.  what it means is
that, rather than having to recheck the entire code base for each
release, one need only check the change log/commit set to see
*exactly* what's happened, and why, and by who.

  i certainly expect that i don't need to expand on the value of that
on this list.  however, now i need to find a way to make that point
succinctly and in a couple of paragraphs for maximal effect.

rday

-- 

========================================================================
Robert P. J. Day                                 Ottawa, Ontario, CANADA
                        http://crashcourse.ca

Twitter:                                       http://twitter.com/rpjday
LinkedIn:                               http://ca.linkedin.com/in/rpjday
========================================================================