And yet there have been plenty of long standing security issues in Linux…
Why would you think that a bunch of people volunteering their time would be more motivated to look for security issues and even those that are found, how many would be disclosed responsibly instead of being sold to places like Pegasus?
>And yet there have been plenty of long standing security issues in Linux…
• See the first half of my second sentence.
>Why would you think that a bunch of people volunteering their time would be more motivated to look for security issues
• So they're not harmed by the vulnerabilities. I'm on a big tech red team. I routinely look for (and report) vulns in open source software that I use - for my own selfish benefit.
>and even those that are found, how many would be disclosed responsibly instead of being sold to places like Pegasus?
• Not all of them, that's a fair point. But I'd rather have the ability to look for them in source than need to look for them in assembly.
• Keep in mind that the alternative you're proposing (that proprietary code can be more trustworthy than open source code) is pretty much immediately undermined by the fact that the entities who produce proprietary code are known to actively cooperate and collaborate with the adversary - look no further than PRISM for an example. Microsoft, for instance, didn't reluctantly accept - they were the first ones on board and had fully integrated years before the second service provider to join (yahoo, iirc).
• If you want to start a leaderboard for "most prolific distributor of vulnerable code", let's see how the Linux project stacks up against Adobe and Microsoft. I wouldn't even need to research that one to place a financial bet against "team proprietary".
> Why would you think that a bunch of people volunteering their time would be more motivated to look for security issues
I don't. I trust that bad actors are less motivated to insert malicious code, and I trust that transparency enforces good practices. All sufficiently complex code has unintended behavior, what matters to me is how you stop third parties from using my device beyond my control.
> and even those that are found, how many would be disclosed responsibly instead of being sold to places like Pegasus?
What do you think everyone else does with their no-click exploits? Send them to Santa?
FOSS doesn't mean "volunteers." FOSS means that the source is viewable, legally usable, and that changes can be made and redistributed without permission from the author(s).
Volunteers can make closed source software, massive corporations and governments can make FOSS.
Seems like some people really believe that FOSS is basically perfect when it comes to security. "It's FOSS so people would find any serious vulnerabilities". Heartbleed, anyone?
As an aside, I wonder if there's a term for this kind of "nobody says...but some do" thing. Everyone sees their own reality, blah blah. I trust that you're speaking in good faith, but that doesn't account for everyone, and good faith doesn't magically resolve arguments.
Why would you think that a bunch of people volunteering their time would be more motivated to look for security issues and even those that are found, how many would be disclosed responsibly instead of being sold to places like Pegasus?