[Pdx-pm] kwiki, Mediawiki, PHP, and the Dark One

[Michael G Schwern]

chromatic wrote:
> On Thursday 01 March 2007 22:09, Michael G Schwern wrote:
> 
>> chromatic wrote:
> 
>>> I'm sorry, it's just that you used the phrase "code audit" with a plural
>>> noun greater than maybe three people.
>>>
>>> http://www.onlamp.com/pub/a/security/2004/09/16/open_source_security_myth
>>> s.html
>> <rant>
>> What a bitch-fest that article is.  Commercial programmers don't know jack
>> about security, either.  Maybe one in a thousand will have a professional
>> come in and have a look.  At least when you're doing it open you know
>> you're working in front of a window.  I don't know how many times I've seen
>> insecure commercial code written with the excuse that nobody will guess
>> where the hole is.
>> </rant>
> 
> Hey, at least with open source you have millions of people who could but don't 
> look for security holes.
> 
> I'm sure not auditing the Mozilla or OO.o codebases for problems.  I fixed a 
> few in Parrot though.

I think this comment sums up my feelings nicely.

(From http://www.oreillynet.com/cs/user/view/cs_msg/44754)

The entire argument for whether closed or open source produces more secure
code is highly flawed, and for the exact reason that is stated early on in
this article: the question must be handled on a case-by-case basis.

...

An advantage of open source in this arena is that independent auditors may
choose to check for security issues and bugs in the code, and can fix them
when they are found. With closed source, something like this requires a
special arragement with the rightsholder.  Note that this does not make the
F/OSS software more secure by default; if no one with the right skills is
looking at the code, holes won't be found. But at least a company or
individual has the option to commence such an audit independantly.