Why open source?

Language 2023-07-28 17:13:55 views: null

What is open source?

Open source software is software whose source code has been made public by its copyright holder. Under a true open source license, software is developed collaboratively, and other programmers can view, modify, or use their own code. This "pure" open source model is often referred to as FOSS (Free and Open Source Software).

A variation of open source is "source code available," which means that no permission is granted to modify or otherwise use the code, but it is available for inspection. For security purposes, this is as good as true open source, so when I refer to "open source" in this article, I include "source code available".

What is closed source?

Most software is written and developed by commercial companies. These companies are understandably keen to keep others from stealing their hard work or trade secrets, so they use encryption to hide their code from prying eyes, any attempt to use or modify the code without permission will result in lawsuits or worse.

So what's the problem?

As I said, this is all understandable, but when it comes to security, it presents a major problem. How do we know a program isn't doing something malicious if no one can see the details of what it's doing? Basically we can't, so we just have to trust the companies involved, something our paranoid security types are reluctant to do (with good reason ).

Why open source is the best solution?

If the code is open source, it can be independently inspected and audited by anyone qualified to do so for backdoors, vulnerabilities, or other security issues. Open source isn't a perfect solution (see below), but it's the only way to verify that software does only what it's supposed to do.

Even if the code has not been reviewed, the fact that it is available for review for free is a strong indication that it can be trusted, as it is less likely that a developer would include malicious code and then have it discovered by anyone willing to look.

Not a perfect solution...

Unfortunately, the limited number of people with the skills and time to audit open source software (often for free) means that the vast majority of open source programs have not been audited.

This problem is compounded by the fact that many open source programs are very complex and contain thousands of lines of code, so even if they have been audited, it is entirely possible for an auditor to miss a problem (especially if the malicious code is intentionally hidden) .

but. . .

So open source doesn't guarantee that programs are "clean", but it's still the best guarantee we have (or can have). Another option is closed source, which offers no guarantees.

Always verify open source programs

So open source is great for security. yeah! But how can you be sure that the open source program you just downloaded hasn't been tampered with in some way?

It sounds like delusional conspiracy fantasy, but in October 2016, the website   of Linux Mint , one of the most popular versions of the open-source operating system for Linux, was hacked , allowing downloaders to use a compromised version of the operating system,

" Hackers made a modified Linux Mint ISO with a backdoor in it and managed to hack our website to point to it. "

The infected Linux ISO image installed a full operating system with the Internet Relay Chat (IRC) backdoor Tsunami , which allowed attackers to gain access to a user's system through an IRC server. So the threat is very real.

In this case, a downloader who bothers to checksum the MD5 hash of the file will spot the spoofing, but such hash checking is not a reliable protection, because if the website can be hacked in the first place, then by verifying the included It is trivial to replace published checksums with bogus checksums of files.

Even better for developers is to digitally sign their software so users can verify the origin of the files (Mint developers are very lax about this as their software is not digitally signed, even using the MD5 hash function Also known to be broken !

See my article  Digital Signatures - Why and How to Use Them for more information. Unfortunately, verifying digital signatures is a pain, but necessary if you care about security.

I should also point out that ideally all software should be digitally signed and verified, but since open source code is free to be modified by anyone, it is much easier to tamper with than closed source. Therefore, it is especially important to verify open source programs.

Open Source: Conclusion

Open source is not a perfect solution, but it provides the best (and only!) assurance that software is trustworthy. Another option is closed source, which offers no guarantees (other than blind trust in companies, a belief tech companies don't deserve).

Guess you like

Origin blog.csdn.net/bjcyck/article/details/131987545
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com