[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sat, Oct 24, 2015 at 12:00:54PM +0100, Brad Rogers wrote: > Since google's software is closed source, you cannot know whether > Roundcube is either less, or more, secure. All you *can* say is that, > as Roundcube is open source, any security shortcomings will come to > light sooner or later, as a result of code scrutiny. In theory. In practise, code review of open source projects is often below par. Things have improved a bit recently following Heartbleed, and major players on the Internet (including Google and Microsoft) are now donating money for code review, but it remains a serious weakness. "Many eyes make all bugs shallow" assumes that a) many eyes are indeed looking and b) that those eyes are doing so with the intent to fix, rather than to break the code. It's also worth noting that, even if Google made all its algorithms open source, we'd have no way to verify whether this is indeed the code that runs on their servers. This applies just as much to, say, dcglug.org.uk. In theory it runs WordPress, which is open source. In practice, we have no way of verifying whether Paul or Gordon or whoever runs it has added one or two lines of code to capture all our login details, or have tweaked the kernel (or the hardware) to the same effect. Open source matters in security when you're running someone else's code on your own devices and you're worried about that person or entity having added (or having been forced to add) backdoors. When the code is run on someone else's server, you've already lost so much control, it matters very little. Martijn.
Attachment:
signature.asc
Description: Digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq