top | item 19079520

(no title)

By hiding the code, it makes security through obscurity far more possible. If you force the code to be public, very poor security will be discovered far faster and be more of an issue to the public.

While this will also make abusing security flaws easier, I think there is also a real benefit to forcing it to be public that could potentially outweigh the risks of doing such.

discuss

zbruhnke|7 years ago

I agree with this in principle (in fact I had a long argument with the former CTO of Citi about this during the heartbleed fiasco) but I also worry that if noone is willing to put in the effort to fix flaws or they are not reported properly then fixing them could go un-funded while flaws were easier to discover.

Maybe the answer is very good logging of anyone who has cloned the repos etc. but right now when we have a government that uses whether or not they're going to fund important parts of our infrastructure (like Air Traffic Controllers) as a bargaining chip I have some skepticism around them being willing to fund ongoing maintenance of some of these products.

Despite the fact that things being in the open SHOULD curb this from happening I've read enough legislation (yes, I actually do like to read legislation) to know that that probably is not true when it comes to the government

rhacker|7 years ago

An alternative would be to rebuild these from scratch, not using any existing code, but start (and always continue) in the open.