OSDev.org

The Place to Start for Operating System Developers
It is currently Tue Mar 19, 2024 5:15 am

All times are UTC - 6 hours




Post new topic Reply to topic  [ 88 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next
Author Message
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 8:33 am 
Offline
Member
Member
User avatar

Joined: Thu Mar 27, 2014 3:57 am
Posts: 568
Location: Moscow, Russia
Brendan wrote:
"closed source" means you have to trust the creators and nobody else

And can you trust these creators?

Brendan wrote:
and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you

At least, open source software can be reviewed by the public.

_________________
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 8:34 am 
Offline
Member
Member

Joined: Wed Jun 03, 2015 5:03 am
Posts: 397
Brendan wrote:
Essentially; "closed source" means you have to trust the creators and nobody else; and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you.

If you need to trust the creators of "closed source" then in fact you trust everyone, just because you don't know anything about creator's kitchen.

So, the only way to trust software is to keep it open source and to establish some overseeing rules and freely participated committee, that govern distribution and update of the source and resulted binaries. Only cooperative efforts can do it for you, but no amount of boycotts can help. And all we are guilty for the lack of cooperative efforts. It's a death of democracy when cooperation decay, also it is applicable to the security.

_________________
My previous account (embryo) was accidentally deleted, so I have no chance but to use something new. But may be it was a good lesson about software reliability :)


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 8:56 am 
Offline
Member
Member

Joined: Tue Jan 20, 2015 9:01 am
Posts: 119
Hi,

XenOS wrote:
Just take sourceforge as an example. They delivered malware, it was discovered by the community, they got blamed.
XenOS' signature wrote:
Programmers' Hardware Database // SF user: xenos1984; OS project: XeNOS
I'm really sorry for you. I moved my projects easily to GitLab.


Regards,
glauxosdev


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 9:47 am 
Offline
Member
Member
User avatar

Joined: Sat Jan 15, 2005 12:00 am
Posts: 8561
Location: At his keyboard!
Hi,

Roman wrote:
Brendan wrote:
"closed source" means you have to trust the creators and nobody else

And can you trust these creators?


No; but a large company that provides commercial software is accountable (to their customers, their shareholders and the legal system) while most open source projects are not.

Roman wrote:
Brendan wrote:
and "open source" means you have to trust the creators (which can include "volunteers" working for the NSA) plus everyone that came in contact with the source and tools and binaries anywhere between the creators and you

At least, open source software can be reviewed by the public.


"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.

Now; read this and think about it for a while. I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.


Cheers,

Brendan

_________________
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 10:25 am 
Offline
Member
Member
User avatar

Joined: Wed Oct 18, 2006 3:45 am
Posts: 9301
Location: On the balcony, where I can actually keep 1½m distance
Brendan wrote:
No; but a large company that provides commercial software is accountable to (...) the legal system
And that's actually a problem instead of being a good thing. America has been proven to force security issues into software. China has been proven to force security issues into software. That leaves the remaining two thirds of the world open to extrapolation.

Quote:
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself ;)

_________________
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 10:45 am 
Offline
Member
Member
User avatar

Joined: Wed Jan 06, 2010 7:07 pm
Posts: 792
Brendan wrote:
"Can be reviewed by the public" is irrelevant when the public can't understand the source code in the first place, and if they could they've got better things to do than waste several years verifying a version of something when a new version is released each month.
Replace "the public" with "a vastly larger group of security professionals, from all the companies that rely on the software rather than just the one that produced it." Keeping the software independent of any one country is also important.

Brendan wrote:
Now; read this and think about it for a while.
That's never been a real threat. It's a very useful thought experiment, but there's no way something as heavily relied-upon and code-reviewed as GCC, or Clang, or the Linux kernel, etc. is going to gain the capability to recognize and modify its own source code on the fly without someone noticing.

The argument that most users won't read or understand the source, and the argument that most users just download binaries anyway, are straw man arguments, not really why open source is important. The important thing is that major projects like kernels, encryption libraries, etc. have several groups supporting and relying on them that don't necessarily trust each other. This creates much stronger incentives for security than Random Corporation A that can just cave to governments with no good way for outside entities to find out.

This is not to say proprietary software is evil. It is harder to bootstrap open source software when you're not getting paid or when it's not something that really fits into this model. People do need to be paid for their work somehow. But security does push things toward and open source model- even Apple releases their source and it does get looked at by outsiders (although there's much less guarantee that the source matches the binary here).

_________________
[www.abubalay.com]


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 12:11 pm 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4591
Location: Chichester, UK
Combuster wrote:
Quote:
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself ;)

I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes. :)


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 2:09 pm 
Offline
Member
Member
User avatar

Joined: Thu Aug 11, 2005 11:00 pm
Posts: 1109
Location: Tartu, Estonia
glauxosdev wrote:
I'm really sorry for you. I moved my projects easily to GitLab.

Well, I'm not using it for distributing my software anyway, I only used the SVN repository, and I'm also moving from SVN to Git. So this incident didn't really affect me at all. But still it serves as a nice example.

_________________
Programmers' Hardware Database // GitHub user: xenos1984; OS project: NOS


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 3:39 pm 
Offline
Member
Member
User avatar

Joined: Thu Mar 27, 2014 3:57 am
Posts: 568
Location: Moscow, Russia
iansjack wrote:
Combuster wrote:
Quote:
I dare you look at the executable file for any large open source project (e.g. OpenOffice, GCC, Gnome, whatever) and all the shared libraries, etc it uses; and prove to me that the executable doesn't contain something that was never in the source code.
That's easy, I built all of it myself ;)

I'll bet 100 of my euros to 1 of yours that at some stage in the chain you used pre-built binaries to (eventually) produce your current software. Unless you can prove that those binaries contained nothing malicious the rest of the chain falls like a pack of dominoes. :)

If such a virus, which could infect compilers, ever existed, it would be detected by some kind of software anyway. It would be unlikely to stay stealthy unless it's a so advanced malware, that it could be compared to an AI. KTH is an interesting theory, but nothing else.

Edit: Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.

_________________
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay


Last edited by Roman on Fri Jun 05, 2015 6:01 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 4:08 pm 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4591
Location: Chichester, UK
Roman wrote:
Anyway, we all seem to be sure in our opinions. This debate won't produce any profit for anyone of us.

That's true. This discussion is based on paranoia. The only thing to discuss is the degree of that paranoia.

Personally, I don't believe that open-source software has been compromised any more than I believe that everything I type into Microsoft Office, or Visual Studio, goes straight to the NSA (or GCHQ in my country). If they are monitoring what I do on my computer they must, by now, be suffering from terminal (pun not intended) boredom.

One can worry about all sorts of things in life. The concept that companies such as Microsoft have some evil master plan that extends beyond simply trying to sell their software (in which case it behoves them not to do anything to it that would give people cause for concern) is clearly the product of a disturbed mind. All that bothers me is if they make good software or bad software. To boycott their software for reasons other than that makes no sense to me. So, I guess, I boycott Windows Vista, but I don't boycott Windows 7. Similarly, I boycott Ubuntu Linux, but not Gentoo Linux. In other words, I like some software, I don't much care for other software - freedom of choice.


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 10:33 pm 
Offline
Member
Member
User avatar

Joined: Thu Dec 21, 2006 7:42 pm
Posts: 1391
Location: Unknown. Momentum is pretty certain, however.
Quote:
If such a virus, which could infect compilers, ever existed

http://c2.com/cgi/wiki?TheKenThompsonHack

_________________
SeaOS: Adding VT-x, networking, and ARM support
dbittman on IRC, @danielbittman on twitter
https://dbittman.github.io


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Fri Jun 05, 2015 11:09 pm 
Offline
Member
Member
User avatar

Joined: Thu Mar 27, 2014 3:57 am
Posts: 568
Location: Moscow, Russia
piranha wrote:
Quote:
If such a virus, which could infect compilers, ever existed

http://c2.com/cgi/wiki?TheKenThompsonHack

Yes, there are examples in the wild, but they are not that dreadful and are completely unrelated to the topic.

_________________
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
- Alan Kay


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Sat Jun 06, 2015 1:51 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4591
Location: Chichester, UK
Well that example seems 100% relevant to me as it is exactly what I was talking about. At some stage you use a binary to produce your programs. If that binary is compromised - and I'm happy to believe Ken Thompson when he says this can be done - then everything down the line is also compromised.

At some stage you have to trust somebody. Whether you trust a corporation - who have the world to lose by being found out with funny business - or an individual - who has nothing to lose - comes back to your freedom of choice. Do I trust all individuals on the Internet? Silly question.


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Sat Jun 06, 2015 6:07 am 
Offline
Member
Member
User avatar

Joined: Wed Oct 18, 2006 3:45 am
Posts: 9301
Location: On the balcony, where I can actually keep 1½m distance
Quote:
you trust a corporation - who have the world to lose by being found out with funny business
They have PR machinery for that. Somewhat tuned to blame their issues on the government. As long as a sufficient number of people buy it, it works, and the status quo is that it does.

iansjack wrote:
an individual - who has nothing to lose
And that's pretty much an even more bogus assumption.

Basically you're calling the same shade of grey both black and white in the same sentence.

_________________
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]


Top
 Profile  
 
 Post subject: Re: Which sites/programs do you boycott?
PostPosted: Sat Jun 06, 2015 10:19 am 
Offline
Member
Member
User avatar

Joined: Sat Mar 31, 2012 3:07 am
Posts: 4591
Location: Chichester, UK
I can only assume that you have never worked for a large corpoation in a decision-making role. Whatever the tinfoil hats may imagine, it just does not make business sense to "do evil". And in a corporation of any size you cannot keep secrets - there is always a potential whistle blower with a sense of moral purpose. It's easy for an individual to do evil and keep that secret; it is almost impossible for a multinational to do the same.

The world is not a James Bond novel with evil masterminds reigning vast private empires of nefarious henchmen. There are certainly evil governments and a host of hackers with various levels of ability. Microsoft is not the enemy.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 88 posts ]  Go to page Previous  1, 2, 3, 4, 5, 6  Next

All times are UTC - 6 hours


Who is online

Users browsing this forum: Bing [Bot] and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group