BBC TV: Click: Free=beer and facebook-flaming
mjr at phonecoop.coop
Sun May 18 11:14:34 UTC 2008
Florian Weimer <fw at deneb.enyo.de> wrote: [...]
> These days, there's hardly any widely used piece of proprietary software
> for which you can't get the source code.
I wasn't aware of this. The Norton Security tools on Windows cause
some associates of mine many problems. Even if the apparent bugs
can't be fixed, knowing the precise details of how it worked with
help. Where can they get the source code?
> It's also not clear if source code availability is that helpful for
> uncovering security bugs.
Would either the recent openssl/debian zero-entropy mistake or the
openssl dangerous use of uninitialised memory have been uncovered
without source code availability?
It seems to me that closed security software is a bit dangerous.
Treating it as a black box and prodding it with different inputs and
outputs is an inadequate way of testing it, not really checking.
MJ Ray (slef)
Webmaster for hire, statistician and online shop builder for a small
worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/
(Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237
More information about the Discussion