Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

We know of Linus\' law: With enough eyeballs all bugs are shallow In general, pe

ID: 659612 • Letter: W

Question

We know of Linus' law:

With enough eyeballs all bugs are shallow

In general, people seem to say that open-source software is more secure because of that very thing, but...

There are many small OSS projects with just 1 or 2 developers (the cathedral model, as described by ESR). For these projects, does releasing the source-code actually lower the security? For projects like the Linux kernel there are thousands of developers and security vulnerabilities are quite likely going to be found, but when just some few people look through the source code, while allowing crackers (black hat hackers) to see the source as well, is the security lowered instead of increased?

I know that the security advantage closed-source software has over OSS is security through obscurity, which isn't good (at all), but it could help to some degree, at least by giving those few devs some more time (security through obscurity doesn't help with the if but with the when).

Explanation / Answer

I think it probably does lower security a bit, for an open source project that's so small or obscure that nobody but its authors are really looking at it. In that case, you aren't getting any help with security from a community, but if someone did for some reason target your small obscure project, they'd have an easier time since they'd have the source. Not that they'd have an impossible time without source, but having the source speeds up understanding, whether your intent is friendly or malicious.

A lot of the most common web vulnerabilities (HTML escaping issues, SQL injection, etc.) are pretty easy to check for without having source, too, so it's not like keeping things closed will mean you're safe.

I'd tend to think you're better off just doing what makes sense on the license (open or closed) independent of security concerns, and then treat security as something to worry a lot about either way.

Related Questions

We have to write the following program and I have no idea what\'s going on. The
Question #3650935
We have two arrays A and B, each with 10 integers. Write afunction that tests if
Question #3615730
We have two barometers, like the one shown in the figure. One uses mercury and t
Question #1288768
We have two black boxes: I and II. Box I contains four balls numbered 1,2,3,4, a
Question #3441046
We have two boxes, box A containing one black and two white marbles, and box B c
Question #3441310
We have two equal size boxes, A and B. Each box contains gas that behaves as an
Question #2075272
We have two hosts, host A and B connected by a single link of rate R bps. The di
Question #3864335
We have two interconnected tanks. Initially tank 1 contains 30 gallons of water
Question #3342087
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
We know from this paper that there does not exist a puzzle that can be solved st
Next
We know that 60% of STAT 201 students have taken STAT 110. 80 STAT 201 students

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.