>These examples shows that opens source code is not more >secure than closed source code, probably even more >dangerous, since most people [wrongly] believe that OS >software is less vulnerable...

The argument for open source software being more secure than closed source software has nothing to do with this problem. That argument is about most visibility into the source code. Tell me, if Dug Song had distributed all his programs in binary only form, would we be any more protected from the monkey.org servers being compromised? No, in fact a virus in a binary only distribution would likely be even worse.

>Most users who download sources and then compile those >usualy don't have enough knowledge and experience to make >any changes (even small ones), so they obviously can't check >that the code is free from backdoors...

I agree with this point from a fundamental level. However, while the average user might not have the knowledge to check, there are some of us that do, or at least have our boxes locked down tight enough that we'd notice an issue like this.

Those are the ones that will get the word out.

>And concerning digital signatures... Well, again - most >users are not going to check those anyway, so... It is >possible to force signature checking on binary installation >in some systems, but you just cannot force this in case of >sources. No way...

Agreed..sort of. ;) I admit, I don't have a good solution for this problem, digital signatures do help, just not enough.

--Dox

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/462/12888#12888