"But surely open source software is less secure, because everybody can see it, and they can just recompile it and replace it with bad stuff they've written." Hands up: who's heard this?1
When I talk to customers—yes, they let me talk to customers sometimes—and to folks in the field2 this comes up quite frequently. In a previous article, "Review by many eyes does not always prevent buggy code", I talked about how open source software—particularly security software—isn't magically more secure than proprietary software, but I'd still go with open source over proprietary every time. But the way I've heard the particular question—about open source software being less secure—suggests that sometimes it's not enough to just explain that open source needs work, but we must also actively engage in apologetics3.
So here goes. I don't expect it to be up to Newton's or Wittgenstein's levels of logic, but I'll do what I can, and I'll summarise at the bottom so you have a quick list of the points if you want it.
First, we should accept that no software is perfect6. Not proprietary software, not open source software. Second, we should accept that good proprietary software exists, and third, there is also some bad open source software out there. Fourth, there are extremely intelligent, gifted, and dedicated architects, designers, and software engineers who create proprietary software.
But here's the rub: fifth, there is a limited pool of people who will work on or otherwise look at proprietary software. And you can never hire all the best people. Even in government and public sector organisations—who often have a larger talent pool available to them, particularly for cough security-related cough applications—the pool is limited.
Sixth, the pool of people available to look at, test, improve, break, re-improve, and roll out open source software is almost unlimited and does include the best people. Seventh (and I love this one), the pool also includes many of the people writing the proprietary software. Eighth, many of the applications being written by public sector and government organisations are open sourced anyway.
Ninth, if you're worried about running open source software that is unsupported or comes from dodgy, un-provenanced sources, then good news: There are a bunch of organisations7 who will check the provenance of that code, support, maintain, and patch it. They'll do it along the same type of business lines that you'd expect from a proprietary software provider. You can also ensure that the software you get from them is the right software: Their standard technique is to sign bundles of software so you can verify that what you're installing isn't from some random bad person who's taken that code and done Bad Things™ with it.
Tenth (and here's the point of this article), when you run open source software, when you test it, when you provide feedback on issues, when you discover errors and report them, you are tapping into—and adding to—the commonwealth of knowledge and expertise and experience that is open source, which is made only greater by your doing so. If you do this yourself, or through one of the businesses that support open source software8, you are part of this commonwealth. Things get better with open source software, and you can see them getting better. Nothing is hidden—it's, well, open. Can things get worse? Yes, they can, but we can see when that happens and fix it.
This commonwealth does not apply to proprietary software: what stays hidden does not enlighten or enrich the world.
I know that I need to be careful about the use of the "commonwealth" as a Briton; it has connotations of (faded…) empires, which I don't intend in this case. It's probably not what Cromwell9 had in mind when he talked about the "Commonwealth," either, and anyway, he's a somewhat controversial historical figure. What I'm talking about is a concept in which I think the words deserve concatenation—"common" and "wealth"—to show that we're talking about something more than just money, but shared wealth available to all of humanity.
I really believe in this. If you want to take away a religious message from this article, it should be this10: the commonwealth is our heritage, our experience, our knowledge, our responsibility. The commonwealth is available to all of humanity. We have it in common, and it is an almost inestimable wealth.
A handy crib sheet
- (Almost) no software is perfect.
- There is good proprietary software.
- There is bad open source software.
- There are clever, talented, and devoted people who create proprietary software.
- The pool of people available to write and improve proprietary software is limited, even within the public sector and government realm.
- The corresponding pool of people for open source is virtually unlimited…
- …and includes a goodly number of the talent pool of people writing proprietary software.
- Public sector and government organisations often open source their software anyway.
- There are businesses that will support open source software for you.
- Contribution—even usage—adds to the commonwealth.
1OK—you can put your hands down now.
2Should this be capitalized? Is there a particular field, or how does it work? I'm not sure.
5Emacs. Every time.
6Not even Emacs. And yes, I know that there are techniques to prove the correctness of some software. (I suspect that Emacs doesn't pass many of them…)
8Assuming that they fully abide by the rules of the open source licence(s) they're using, that is.
9Erstwhile "Lord Protector of England, Scotland, and Ireland"—that Cromwell.
10Oh, and choose Emacs over Vi variants, obviously.
This article originally appeared on Alice, Eve, and Bob – a security blog and is republished with permission.