Menu
Sorry if this is a stupid question but sometimes I see Easter eggs and stuff in programs like Aptitude. (the package manager for Debian)
Is it possible Is it likely that more sinister features make their way into open-source software?
825
No. Open Source Software certainly does have the potential to be more secure than its closed source counterpart. But make no mistake, simply being open source is no guarantee of security. “It's simply unrealistic to depend on secrecy for security in computer software.
Snippet: Malware in open-source code can create security vulnerabilities, and validating controls can help mitigate risk. Over the last year, threat actors have focused increasingly on attacking critical supply chain members.
Open source is not inherently safer. It might be a little bit, due to the following reasons: Potentially more people look at the code, so bugs allowing for security vulnerabilities are more easily spotted.
As far as security is concerned, the big win in using open source software should be transparency. Since there is “a community of eyes” working with and inspecting open source code coming from open source projects, there should be fewer bugs, with any flaw or vulnerability spotted and fixed quickly.
It's certainly possible, but it's more complicated. I don't know of any actual malware going around, but people have made mistakes with similar effects. (I know of mistakes that have been found; obviously, I don't know how many haven't been.)
If you put malware into closed-source software, the only way to find it is to detect the effects and analyze the binary. There are people who are very good at analyzing the binary.
In open-source software, anybody can look at the source code. Not many will, for most packages, but there's a much higher chance of being found out. Once found out, anybody can patch the software to do the good things without the bad. Moreover, most open source software has publicly available repositories, which means that anybody can track down the history of the code, and (at least to a pseudonym) who did what. There is also a tendency to produce more readable code in open source, so that changes will stand out more.
The caveat, of course, is that most of us really don't know what to look for in software security. If I run a compression program, and it compresses my file to a shorter version that looks like gibberish, and I can get the original back, I know that's working. If it changes it to gibberish that it claims is encrypted, I don't know a priori how to tell if it's well encrypted.
174
It's possible but sort of harder because the source code is there. The author would be counting on no one bothering to read the source code before running it which is true for a lot of people I suppose. I know I don't bother to read the source code of the open source programs I run. In a larger project it's harder because the code is often reviewed but if there's just one author then it becomes a lot easier.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
