Not discrediting Open Source Software, but nothing is 100% safe.

  • TheBeege@lemmy.world
    link
    fedilink
    English
    arrow-up
    55
    arrow-down
    4
    ·
    1 year ago

    I had a discussion with a security guy about this.

    For software with a small community, proprietary software is safer. For software with a large community, open source is safer.

    Private companies are subject to internal politics, self-serving managers, prioritizing profit over security, etc. Open source projects need enough skilled people focused on the project to ensure security. So smaller companies are more likely to do a better job, and larger open source projects are likely to do a better job.

    This is why you see highly specialized software has really enterprise-y companies running it. It just works better going private, as much as I hate to say it. More general software, especially utilities like OpenSSL, is much easier to build large communities and ensure quality.

    • andrew@lemmy.stuart.fun
      link
      fedilink
      English
      arrow-up
      39
      arrow-down
      3
      ·
      1 year ago

      With all due respect, I have to strongly disagree. I would hold that all OSS is fundamentally better regardless of community size.

      Small companies go under with startling frequency, and even with an ironclad contract, there’s often nothing you can do but take them to court when they’ve gone bankrupt. Unless you’ve specifically contracted for source access, you’re completely SOL. Profitable niche companies lose interest too, and while you may not have the same problems if they sell out, you’ll eventually have very similar problems that you can’t do anything about.

      Consider any of my dozens of little OSS libraries that a handful of people have used, on the other hand. Maybe I lost interest a while ago, but it’s pretty well written still (can’t have people judging my work) and when you realize it needs to do something, or be updated (since things like dependabot can automatically tell you long after I’m gone), you’re free and licensed to go make all the changes you need to.

      I think you see highly specialized software being run by enterprisey companies because that’s just business, not because it’s better. It’s easiest to start in a niche and grow from there, but that holds true with open software and protocols too. Just look at the internet: used to share research projects between a handful of universities, and now has grown to petabytes of cat gifs. Or linux. Started out as a hobby operating system for a handful of unix geeks, and now runs 96.3 percent of the top 1 million web servers.

      It always starts small and gets better if it’s good enough. This goes for OSS and companies.

    • Zeth0s@reddthat.com
      link
      fedilink
      English
      arrow-up
      10
      ·
      edit-2
      1 year ago

      Unfortunately that is not the case. Closed sourced software for small communities are not safer. My company had an incredibly embarrassing data leak because they outsourced some work and trusted a software used also by the competitors. Unfortunately the issue was found by one of our customers and ended up on the newspapers.

      Absolutely deserved, but still, closed sourced stuff is not more secure

    • Distributed@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      prioritizing profit over security

      Laughs, nervously, while looking at my company’s auth db, which uses sha-256 still lol…

      • andrew@lemmy.stuart.fun
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        It never should have been anything but bcrypt/scrypt, but sha256 is so much better than many alternatives. Hopefully it’s at least salted in addition to hashing.