One benefit of open source code is that everyone can take a look at the internals of a program to ensure that it can be trusted. As mentioned several times in other threads people have stated that they don't trust closed source software.

Is open source really any safer? Are there enough people looking over the Linux source and the source code of the programs that you are using?

How much code do you look over? How well do you understand it?

IMHO you dont' necessarily have to look in the source. Who would try to put destructive code in open source code? The other part is that professionals (i'm not saying you aren't but i'm not..) are able to look at the code and analyze it at any point. Simply having the ability does the job 9 out of 10 times.

Looking at it doesnt' make it safer, understanding it does. If you don't understand it then what good does it do _you_ to look at it?


The other thing too is that most people dont' compile their own programs, they download binaries, so even though its open source it doesn't mean thats the real source that was used.

In short, if you dont' understand the code rest assured that someone else does and they have looked it over. And if not everyone assumes they have so no-one tries to pull a fast one.

Originally posted by pr0c
In short, if you dont' understand the code rest assured that someone else does and they have looked it over. And if not everyone assumes they have so no-one tries to pull a fast one.
They get away with it either way. Even if the code is noticed, cleaned up, and widely reported, nothing is likely to happen to the person who wrote the code. It is not like there are open source police.

Originally posted by hop-frog
They get away with it either way. Even if the code is noticed, cleaned up, and widely reported, nothing is likely to happen to the person who wrote the code. It is not like there are open source police.

That is kind of interesting, if you think about it. If someone releases their code under the GPL, and it contained malicious code, I wonder if you could be taken to court over it? I mean, the GPL has in it a clause basically stating, "We're not liable for what this code damages, so use it at your own risk."

But if someone intentionally put something bad in there, would that violate the GPL in any way?

That happens in the Windows world day by day, but nobody seems to care!
M$ even certifies that cr@p as long as they get paid for it!

ooops, typo!

I don't think that the use at your own risk disclaimer covers code which was created with malicious intent.

The biggest problem I see comes when someone alters existing code then releases it under the original name.

To avoid problems I would think that keeping copies and updates to all code written is extremely important even pre-release versions.

Even if the code was very damaging and you could take them to court for it, how would you find the author? What if they used a false name?

I agree, every body is like "open source this, open source that, blah blah blah", but only [insert point-making statistic] % of people who use open source software ever even compile their software, let alone look at the source. And furthermore the vocal ones get on this moral-high-horse about licenses "GPL blah blah BSD blah blah...".....WHO CARES...

I like open source software because I can compile for my computer, and know that I have the most optimised system possible, like Gentoo . Sometimes I look at source just to see how other people are programming, try to learn some new tricks, whatever, but the most important thing about software is the quality.....not whether its under license X or Y or has open source or not, and thats why I use linux.

Originally posted by Alex Cavnar, aka alc6379
But if someone intentionally put something bad in there, would that violate the GPL in any way? I looked through the GPL (http://www.gnu.org/copyleft/gpl.html) and its corresponding FAQ (http://www.gnu.org/licenses/gpl-faq.html) and I could not turn up anything. As far as violations go, the FAQ only covers a few situations (http://www.gnu.org/licenses/gpl-faq.html#TOCReportingViolation) and it tells you to report any like violations here (http://www.gnu.org/licenses/gpl-violation.html). What happens when if a violation is reported? Will GNU take care of it or will the origional developers of the code have to take matters into their own hands (http://www.gnu.org/licenses/gpl-faq.html#WhoHasThePower)?

Originally posted by hop-frog
I looked through the GPL (http://www.gnu.org/copyleft/gpl.html) and its corresponding FAQ (http://www.gnu.org/licenses/gpl-faq.html) and I could not turn up anything. As far as violations go, the FAQ only covers a few situations (http://www.gnu.org/licenses/gpl-faq.html#TOCReportingViolation) and it tells you to report any like violations here (http://www.gnu.org/licenses/gpl-violation.html). What happens when if a violation is reported? Will GNU take care of it or will the origional developers of the code have to take matters into their own hands (http://www.gnu.org/licenses/gpl-faq.html#WhoHasThePower)?

code in the GPL is provided as-is with no warranty.

Actually, some of us are looking through the code.

It's educational. 'C' the future.

Use the source, Luke.

It is also pretty simple. Just learn C. That is, I am not Java'n you. If I can do it -- then you can too. But, my suggestion is that you can't learn by just reading. You will have to code.

So?

I like looking at source to figure out things that the documentation leaves out.

Originally posted by jdctx
I don't think that the use at your own risk disclaimer covers code which was created with malicious intent. I think it covers everything -- but I'm definitely not a lawyer. ;)

The biggest problem I see comes when someone alters existing code then releases it under the original name. I don't think they can. I believe I remember seeing a clause in the GPL that modified versions could be redistributed, as long as it was made VERY clear that the version being redistributed was modified (whether through a version change, or a run-time message, or whatever).

Originally posted by hop-frog
Even if the code was very damaging and you could take them to court for it, how would you find the author? What if they used a false name? I think that the consequences of purposefully distributing malicious code aren't monetary, they're ego-based.

Robert Morris has basically been ostracized for life (if not longer) because of the Internet Worm he wrote, exploiting security holes in a few different packages (Sendmail, for one, but also others). I think that most (of course, this doesn't help too much) open-source programmers are egotistical enough that they wouldn't distribute anything harmful, just because of the stigma that would follow them around.

But, there are probably some that would -- of course, these are going to be the ones that don't have much else to speak of, contribution-wise, or whatever. They'd be the people where the malicious code in question is either their first contribution to any project at all, or it's their first project published.

And maybe Sourceforge / Freshmeat do reviews? Or maybe there's an address you can complain about Freshmeat packages to?

From the GPL
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.If I am understanding this right, there might be some warranty depending on where you live. I'm not a lawyer either.

There are legal penalties for distributing malicious code. I doubt that you can have a disclaimer that frees you from the responsibility of not distributing malicious code, but I don't really know.

Originally posted by pr0c
Who would try to put destructive code in open source code?Has anyone seen the big message at the top of The Linux Kernel Hacker's Guide (http://www.tldp.org/LDP/khg/HyperNews/get/khg.html)? Could this be any indication that there is a growing threat?Originally posted by Strogian
There are legal penalties for distributing malicious code. I doubt that you can have a disclaimer that frees you from the responsibility of not distributing malicious code, but I don't really know.I see your point. It is unfortunate that legal penalties are only a good deterrent when people are educated about them and when police are actively enforcing them. Consider the number of script kiddies roaming the net and tell me whether they are aware of or even concerned with the possible consequences.

lets put it this way....the issue is moot. malicious code rarely gets around and is quite quickly flushed from the circuit. that's the advantage of open source .... with the overwhelming majority of eyes looking at the code being very non-malicious evil code does not get very far.

there are also a wealth of measures developers can take to protect there code. not from hacking per se but from any ramifications if their code is hacked.

not that i don't think that this is a concern but this thread wreaks of paranioa.

Originally posted by hop-frog
Has anyone seen the big message at the top of The Linux Kernel Hacker's Guide (http://www.tldp.org/LDP/khg/HyperNews/get/khg.html)? Could this be any indication that there is a growing threat? Could be, but the way I read it, it's a bunch of morons confusing "hacking" with "cracking".

In other words, it's a bunch of script kiddies (or similar) thinking that this guide is a way for them to crack into other people's systems, rather than a guide for how to contribute to the kernel.

But hey, that might just be my cynic side... ;)

Originally posted by bwkaz
In other words, it's a bunch of script kiddies (or similar) thinking that this guide is a way for them to crack into other people's systems, rather than a guide for how to contribute to the kernel.More specifically the script kiddies were looking for a way to to crack Linux systems.

Originally posted by sarah31
not that i don't think that this is a concern but this thread wreaks of paranioa. You are probably right. I started this thread after seeing the How does M spy on the end user? (http://www.justlinux.com/forum/showthread.php?s=&threadid=103163) thread. So many people posted to that thread saying that they feel much safer with an open source system. I doubted that many of them were actually checking the source, which would be what makes it safe.

So far my survey has concluded that out of all of the people who read /dev/random, only look through the source code. Maybe most people just didn't realize that this is a survey?Originally posted by hop-frog
How much code do you look over? How well do you understand it?

I didn't realize this was specifically a survey. IMO, this thread deserved a poll, unlike many threads that have polls.

Personally, I have looked through the Linux kernel code, and after looking up what certain functions were, I had a decent idea of what that particular portion of code was all about.

I actually twiddled around with the 2.4.18 kernel sources to get UFS support working to mount my FreeBSD partitions. Turned out that the 2.4.18 UFS code didn't support the block size I was using. Simply adding it into the code (I think the size was 16384) in the right places allowed the kernel to mount it perfectly.

Just as I was preparing to submit a patch, I looked through the corresponding code in kernel 2.4.20. Turns out that the whole thing had been redone, and it didn't have static values for the block size anymore.

Alas. yet another spotlight yanked away, I thought, but in hindsight, I guess it was better. What if somebody decided to use a 32768 block size? Then that would have needed addition, too. This could be repeated quite a bit...

Bow done to alc the kernel hacker!
I've joined the fan club. :D

Can I have your autograph, mister? :)

Originally posted by terribleRobbo
Bow done to alc the kernel hacker!
I've joined the fan club. :D

Can I have your autograph, mister? :)


HAH! That's cute. I'm going to do an impression for you. This impression is of me trying to write a C program:

:confused:

I just happen to know enough C to get me into trouble...

this thread is just silly. i mean look at the media, it blows everything out of proportion. think what would happen if slashdot found out that redhat had been putting backdoor junk in their new fancy shmancy updater thingy. Crucifiction! that's what! not to mention Richard Stallman assasinating every member of the company! :-p besides that, what's the point? it's not like the opensource community has to protect against piracy or (for the most part) collect consumer profiles, or any of the silly stuff they do in redmond. besides, there's always someone geekier than you who HAS read the code, probably many times over.

Originally posted by spreelanka
this thread is just silly. i mean look at the media, it blows everything out of proportion. think what would happen if slashdot found out that redhat had been putting backdoor junk in their new fancy shmancy updater thingy. Crucifiction! that's what! not to mention Richard Stallman assasinating every member of the company! :-p besides that, what's the point? it's not like the opensource community has to protect against piracy or (for the most part) collect consumer profiles, or any of the silly stuff they do in redmond. besides, there's always someone geekier than you who HAS read the code, probably many times over.

How is this post silly? I'm not sure I quite understand...

You are correct in the regard that were an entity to produce software with intentional back-doors and the like, the community would probably shun that entity, be it a group or a person. That point was made before, and well noted.

But, why does it matter that someone geeker has read the source code to a program I use? If you wanted to say that, you could go so far as to say, "Well, some REALLY geeky folks can read the Windows source code, so I don't have to!" I may be reading too much into your statement, but that would seem to imply that because these "geekier than thou" persons can read the code, that we should all just take them at their word that it's good.

I compare it to religion. Before Martin Luther, only the priests and powerful religious heads could read the then latin-only Bible. Since the common folk didn't know Latin, the religious powers could just walk in and say "SEE! it says in the Bible, right here, that we can take your land, and you have to praise God that we're relieving you of it!"

Sure, many people don't know what the heck int main() { is in a C program, but at least they'd have the code available to them. Luckily, most OSS programmers comment their code really well, so you'd at least have a clue as to what's happening.

If you take the word of some person who is "above" you just because they're "above" you, you'll never do anything but stay below them.

I compare it to religion. Before Martin Luther, only the priests and powerful religious heads could read the then latin-only Bible. Since the common folk didn't know Latin, the religious powers could just walk in and say "SEE! it says in the Bible, right here, that we can take your land, and you have to praise God that we're relieving you of it!"

Except that was an organization. Hackers are not. All it takes is one person to spread the word about a bad program. And they would have *proof*, because they have the source code. If God's Notes on the Creation of the Universe was publicly available, then I'm sure that people would've quickly said "screw you" to the religious powers. ;) Even if *that* were written in Latin, someone would've said "umm.. here it actually says, that you CAN'T take our land. Yep, it's in the Notes. You can't argue with the Notes." :D

Hmm.. I hope we don't take this religion analogy too far now.. :D

Originally posted by Strogian
All it takes is one person to spread the word about a bad program. All it takes is one string of malicious code to slip through unnoticed.

How many programs are posted or updated on Freshmeat each day? I'd say somewhere between 40 and 50. How many people are reviewing that source and how often? If there aren't enough people reading the code, then malicious code will slip by unnoticed.

Is there a threat? I can't say know for sure. Unless someone can hold up their arguments or unless someone can find some better statistics, then I'm not convinced otherwise. So far all I can tell very few people at JustLinux are reading the source. Maybe there just isn't a very high consentration of these "geeker" people at this site. Maybe there is a huge community of Beta testers out there that I just don't know about.

If there is such a problem then we should not ignore it. There may be an easy way to supress it.

CVS is monitored pretty well though don't you think?

My god, have I looked at the source code? Are you kidding? I'm still trying to figure out KDE, fer cryin out loud!

I'd like to say that yes, absolutely I feel more secure about open source software than about closed source software-- but this doesn't necessarily indicate that open source might not have its own issues around security that we need to be honest and aware of.

I'd also like to point out that the GPL has nothing on Microsoft's EULA for evading liability. I've read that the idea that you can sue Microsoft if something goes wrong with Windows is a myth.

I think that anyone who is concerned about the possibility of malicious code should consider the stable version of Debian, which is released by the Free Software foundation with such care that apparently it's always considered a little out of date. This is in marked contrast to MS's reputation of rushing software into the market. I am no expert at any of this, and I may be naive, but I can't imagine software being publically released under circumstances that could inspire more confidence than the stable Debian.

Aren't most viruses spread by email, instead of software? Personally, I think that there limits to security, always will be, and we will always need to live within them. The best security measures are the simplest. We need to back up our data, and avoid building our lives and society on a complex network of complex networks. In a large organization, not every computer needs to be connected to the net.

The Microsoft plan to promote networking in every area of our lives seems wrongheaded from every perspective other than the Microsoft bottom line. All of this networking not only seems insecure, it also seems like a pain in the ***. Am I really such a vapid, lazy sack of lard that I need a computer network to turn down my stereo, or so that I won't occasionally have to fumble for housekeys? TCPA was probably supposed to inspire confidence, for many of us, that's not really how its working out.

God, can I write about anything to do with computers without it morphing into another yet anti-microsoft manifesto? Do I even want to?

Maybe there just isn't a very high consentration of these "geeker" people at this site.

True. :) This site used to be called linuxnewbie.org, remember? "Geeker" people don't waste their time here. ;)

All it takes is one string of malicious code to slip through unnoticed.

How many programs are posted or updated on Freshmeat each day? I'd say somewhere between 40 and 50. How many people are reviewing that source and how often? If there aren't enough people reading the code, then malicious code will slip by unnoticed.

How many of those programs are you actually using, though? I'm sure that somewhere, there exists some open-source code that nobody has bothered to look through. But, if it has any popularity at all, you can bet that someone wants to know how it works. And to know that, you have to look at the source code.

I realize that, if you want to be *absolutely* sure, you have to look at all the source, for every program you installed, yourself. But if security is that critical, you are probably better off writing your own closed-source OS. :) I can say though, with absolute certainty, that open-source software is better than closed-source software in this respect. And if you only use "mainstream" software, you probably don't have any malicious code running.

Originally posted by hop-frog
I use 4 out of 51 programs that were listed yesterday.


So now am I limited to using popular software?

If you are worried enough about security, then yes. :) If you think it's worth it to not use unheard-of software, then don't. If you think it's worth it to not use closed-source software, then don't. If you think it's worth it to not use ANY software but your own, then don't. That's all there is to it. :)

But why would you really be that worried about security? *Most likely*, the programs you use will not have bad stuff in it. You're taking the same risks when running _any_ closed-source program (created by an individual -- probably not with commercial software ;)). At least if it's open-source, people have the opportunity to snoop around in the code.