this post was submitted on 07 Jul 2023
1675 points (93.0% liked)

Memes

45734 readers
762 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
1675
It's Open Source! (lemmy.dbzer0.com)
submitted 1 year ago* (last edited 1 year ago) by 001100010010@lemmy.dbzer0.com to c/memes@lemmy.ml
 

Not discrediting Open Source Software, but nothing is 100% safe.

you are viewing a single comment's thread
view the rest of the comments
[–] SquishyPandaDev@yiffit.net 7 points 1 year ago* (last edited 1 year ago) (2 children)

*cough* Heartbleed *cough*

[–] andrew@lemmy.stuart.fun 28 points 1 year ago* (last edited 1 year ago) (3 children)

Man we would have been so much better with plaintext communications everywhere, right?

You cite heartbleed as a negative but a) SSL would never have proliferated as it has without openssl and b) the fix was out in under a week and deployed widely even faster.

The alternative, proprietary crypto, would have all the same problems including the current laggards, but likely without everyone understanding what happened and how bad it was. In fact, it probably wouldn't have been patched because some manager would've decided it wasn't worth it vs new features.

[–] muddybulldog@mylemmy.win 4 points 1 year ago (1 children)

I think the point that’s more relevant to the original post is that while the speed with which fixes were rolled out were admirable, the flaw existed for years before anybody noticed it.

[–] TheYang@lemmy.world 3 points 1 year ago (1 children)

it would have been way worse, because it would have been less discoverable in a closed source software by someone somewhere

[–] muddybulldog@mylemmy.win 1 points 1 year ago* (last edited 1 year ago)

Devil's Advocate...

Codenomicon, the company who actually named the flaw, didn't find the bug via the source code. They were building a security product and when testing that product against their own servers exposed the flaw. Open Source was not a factor in this discovery.

Google HAD discovered the flaw via the source code, exactly two days earlier.

In this case, the bug was 0.267379679% more discoverable due to being open source versus being closed.

[–] damnthefilibuster@lemmy.world 1 points 1 year ago

the fix was out in under a week

I don't disagree with this, but your point about automatic audits... It's always a learning curve to prevent silly shit like heartbleed from getting into the system. But the idea that there was no check against this when it was first PR'd seems almost absurd. This is why sticking hard to API and design specs and building testing around them is so important.

I'm sure they learnt a valuable lesson there.

[–] henfredemars@infosec.pub 2 points 1 year ago

I came here looking for this comment.