There are some people won’t touch anything to do with open source projects as they feel it might have issues with security. What does open source actually do for security or change how it works?

  • Otter@lemmy.ca
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    1 year ago

    I think the argument is usually

    If bad people see the code, they can spot vulnerabilities and exploit them

    But I that’s not really how it works because it doesn’t cost anything to try an exploit. People generally aren’t going to look through the code to try and spot a weakness when they can just run an automated thing to attempt common vulnerabilities. Open source, closed source, bad code will fail the same.

    I see it as a lock. With open source, you know how the internal mechanism is supposed to work and you can judge how secure it is. With closed source, someone says “trust me” and doesn’t show you how the inside works. It could just be a “if something metal is inserted, unlock the system”.

    Ultimately the best thing is to look for open source software that’s been audited. If no one has checked the FOSS code, then you don’t actually know it’s safe. Once that’s happened, best of both worlds.


    One other concern might be “if it’s open source, then everyone can see my password!”

    Which is just… wrong

    • Otter@lemmy.ca
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      Oh and in practice, companies might pick a closed source paid product over a free and open source one.

      But it’s not the product, it’s the legal/financial agreements. Companies like to externalize the risk instead of taking it on themselves. They like being able to sue someone if things go wrong.

      The other company might be running the FOSS software too. They’re taking on the responsibility.


      Oh and finally, a lot of open source products and protocols are used by closed source companies.

      ex. Signal protocol is used by Facebook for some things