i don’t understand how people see the xz incident and conclude that open source is insecure. That level of social engineering could easily have worked on a company as well, but it was detected because it was open source. All other mechanisms failed, and it was just some random guy poking around that discovered it. That kind of scrutiny doesn’t happen on closed source systems
I'm not a professional coder by any stretch, so I recognize I'm coming at this with an unknown-to-me ignorance factor, but these types of issues seem to signal an issue with the sheer complexity of software in general, and particularly with the large number of dependencies some projects have (not that xz itself is necessarily super complex or part of a giant chain of dependencies, but factors seem to point in that direction.)
Closed source is another story. Like financial statements, trust is built through auditing. The more transparency, the deeper the auditing, and more auditing means more trust.
Dynamic analysis doesn't work if the source is not available.
TLDR: it is possible to assess the content of open source software. Closed source, not so much.
Add comment