Good example: Chromium blob found by Debian (via LWN)

Bernhard Reiter bernhard at
Wed Jul 1 07:52:27 UTC 2015

Am Dienstag, 30. Juni 2015 22:08:21 schrieb Florian Weimer:
> * Bernhard Reiter:
> > We all know that the review that is actually happening
> > is really important for raising the quality of software.
> > Free Software always enables third party peer review,
> > which makes it an important precondition for good security.
> >
> > Here is an example where the peer review of Debian
> > found an issue that - most likely - slipped the Google devs.
> I find it difficult to fit this comment to the available facts.
> The issue was discovered based on application behavior.  Application
> behavior is independent of source code availability.

I am arguing in two ways:
a) the possibility of code level peer review has grown a community
   where people do peer review, collect reports and actually examine them 
   in public. This has a much higher chance with Free Software to happen.
   Debian actually has to rebuild the source code and change it in some
   places (in contrast to just looking at the code, aka only permitted
   to passive code "access").
b) in the further examination of this case, the response of a google
   engineer was: it is not active, you can verify this in the code >here<.
   So active access to the source code plays a role in how this was
   further examined and resolved.

Both is peer review to me, enabled by Free Software. 
So it shows the value of the Debian community.
(Some of the recent media events have singled out harder parts of the Debian 
culture, here is shows some of it numerous strength for the wider software

> You don't have to be a peer to spot anomalous application behavior.
> For widely used software, I expect that most anomalies are spotted by
> end users who are not developers.

I agree with this statement. To me review does not stop at the observation,
the issue must be qualified and then handled.

> Google keeps the download code in Chromium to reduce divergence
> between the open and closed code bases (yes, “keeps“, it's still
> there, only that there is now a build switch).  As far as I can tell,
> this is a deliberate choice, and the developers were genuinely
> surprised by the public reaction.

I think the solution with the build switch is fine. Most people did not get 
the full story and therefore I guess that most of the public reaction 
comes from waking up to the fact that they are trusting a lot of pieces
of software. 


FSFE -- Founding Member of the GA  
Support our work for Free Software:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Discussion mailing list