[Sussex] What path does one take

Geoff Teale gteale at cmedresearch.com
Thu Oct 19 13:19:05 UTC 2006


With regard to viruses and security in general, there are several
reasons why free software *can* be (and often *is*) more robust than
commercial vendors products:

  1. It is not *necessarily* the case that there is any commercial
interest outweighing security concerns (In Microsoft's case this has
nearly always been a contributing factor - why the hell else would you
ever allow e-mails to invoke arbitrary scripts!).

  2. Openness (Freedom of information) as an approach provides the
following benefits:

   - peer review (sometimes even mass peer review)
      - preemptive fixing (more on that later)
   - rapid patch production where work is distributed 
   - people who care about security can contribute code (this is a major
point - most commercial software teams have concerns that come above
this (see point 1))
   - people who care about security can produce whole distributions that
are fanatically secure
  
Now, you'll notice I've used a few vague terms there.  They refer to the
following truths:

  * Not all F/L/OSS is made by experts.
  * Not all F/L/OSS is of interest to people who care about security
  * Corporate sponsors of F/L/OSS (IBM, RedHat, Novell, etc) clearly
*do* have commercial concerns 

However, in practice - the fundamental parts of GNU/Linux are secured by
people who really care about security and aren't being pressured to
deliver another superficial, shiny, feature at the cost of that goal.  

There is of course a scale here - I'm prepared to bet quite a bit that a
default Novel SLED installation is less secure than a default OpenBSD
installation for the commercial reasons I've stated.   The key thing is
that choice is everything and F/L/OSS presents the opportunity for
creation of new choices on a common basis.

There's also been a tendancy for analysts to pull out stats like
"Firefox has had more security patches than IE in the last calendar year
- it is therefore less secure".  This logic is flawed, fixed problems
are by definition no longer problems and the number of such problems
we've experienced in the past is not really relevant to hour secure the
product is in the future. Many F/L/OSS programs are patched
pre-emptively by the person who finds the potential flaw, thus they
never become *real* security problems - this is less true for
proprietary software.  
   

As for the "amateur hour" programmer in the F/L/OSS community, their
contributions tend to be trivialities (not core apps) and rarely have
any opportunity to do anything destructive in the way they might on
Windows.  It's also vital that such people exist - everyone was a
beginner once!
   
-- 
Geoff Teale
Software Engineering Team Leader

Cmed Group Ltd.
Holmwood
Broadlands Business Campus
Langhurstwood Road
Horsham RH12 4QP
United Kingdom

T +44 (0)1403 755071
M +44 (0)7914 850491
E gteale at cmedresearch.com
W www.cmedresearch.com
__________________________________________________________

Driven by technology. Guided by experience.
__________________________________________________________






More information about the Sussex mailing list