Search Mailing List Archives
[liberationtech] About "Confide"
jancsika at yahoo.com
Sat Apr 26 16:33:44 PDT 2014
On 04/26/2014 05:18 PM, Shava Nerad wrote:
> Anyone who is lauding the verifiability of open source security
> software had best show that their code has been regularly and
> thoroughly audited.
I'm not sure what that means, so I'll start a new paragraph for what
could be a non sequitur...
Someone doesn't have to be an active scientist doing peer reviewed
research in order to laud the verifiability of the scientific method.
Similarly, I don't have to be an active security dev working on peer
reviewed software in order to recognize the obvious benefits of the free
software approach over proprietary development.
Anyone who wants to ignore those obvious benefits best explain how they
would verify a fix for the heartbleed bug if the public weren't allowed
to read the code. And what if you didn't trust their description of the
fix? What if you, as an expert security programmer, suspected that the
proprietary team wasn't using a sane codebase or doing a good job of
maintaining it? How would you leverage your skills to improve that
proprietary security library?
Compare the time it takes you to respond to the time it took the OpenBSD
peeps to do a "git clone" command.
More information about the liberationtech