top | item 24286268

(no title)

achou | 5 years ago

Three points:

(1) This issue isn't going away, no matter who wins the next election.

(2) Data collection is not the only goal or threat. The article mentions other critical systems: energy, financial, healthcare, transportation, military. Even agriculture is heavily software dependent now[1]. Also, once you depend on a cloud service, the open source used by it is brought into the attack surface.

(3) Open source is theoretically reviewable, which is good. But even if resources were brought to bear to review it at scale, you'd need to do it continually and track what has passed. This brings pressure to fork. Worse, because review is imperfect even with the best people and tools, it will never be enough by itself to establish that a system doesn't contain malicious code. Current program verification technology is simply not up to the task of formally verifying the behavior of large scale software systems. Maybe it could be used for smaller libraries.

[1]: https://www.deere.com/en/technology-products/precision-ag-te...

discuss

john61|5 years ago

"it will never be enough by itself to establish that a system doesn't contain malicious code."

The track record of popular free software projects like for example Linux in preventing malicious code is very good as far as I know.

achou|5 years ago

Linux isn’t all of open source, nor likely to be the most attractive vector of infiltration for any given target, and not all of even Linux is examined with the same level of scrutiny.