LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The Ptech Incident

The Ptech Incident

Posted Dec 12, 2002 8:07 UTC (Thu) by Mithrandir (subscriber, #3031)
In reply to: The Ptech Incident by proski
Parent article: The Ptech Incident

> I've seen a lot of Open Source
> projects that a poorly written and very hard to understand, especially
> when the code has no comments or unhelpful comments, like "that's ugly,
> I should really do it right some day".

Do you really beleive that security-concious organisations would let this cruft anywhere near their mission-critical systems? On the other hand, I'd feel _much_ safer with well-written open-source code than closed-source code that could be of _any_ quality; you just don't know.

The point is that OS code is the ultimate in full disclosure. It _can_ be good, and you can know if it is or not. And it _can_ be audited. With closed-source, you just don't get the option.

> Open Source projects differ wildly in their quality. Neither the
> license not the number of contributors are defining factors when
> security of the system is at stake. If the software was written
> without security in mind, it should not be trusted, whether it's
> Open Source or proprietary.

Yep, that's fine. Who was saying that it should be? And there is plenty of OS code that IS written for security, and again, I would argue that it's just that much more trustworthy. PGP gives me the creeps. GPG doesn't. Go figure.

(Log in to post comments)

The Ptech Incident

Posted Dec 16, 2002 5:56 UTC (Mon) by proski (subscriber, #104) [Link]

Do you really beleive [sic] that security-concious [sic] organisations would let this cruft anywhere near their mission-critical systems? On the other hand, I'd feel _much_ safer with well-written open-source code than closed-source code that could be of _any_ quality; you just don't know.
I just found the following piece of code in the source of GNU Midnight Commander. This software is distributed by almost every [GNU/]Linux distibution, including Red Hat. I'm sure that some "security-concious organisations" are using Red Hat, not some obscure "hardened" distribution. 
/* This function is really broken */
int
mc_chdir (char *path)
{
    char *a, *b;
    int result;
There is no comment about what that function does, only a comment that it's broken! And that's not an exception, it's a pattern.

The real question

Posted Dec 20, 2002 17:17 UTC (Fri) by Max.Hyre (subscriber, #1054) [Link]

Dear Proski-san:

Sorry for the tardy response---I've been distracted lately...

You noted:

I just found the following piece of code in [a Free Software app]
[...]
	/* This function is really broken */
	int
	mc_chdir (char *path)
[...]

There is no comment about what that function does, only a comment that it's broken! And that's not an exception, it's a pattern.

To which I must agree. Unfortunately, in most of the proprietary code I've seen, either the same comment/lack of comment can be found, or the comment is omitted because the coder is ashamed to say so in public. Only in work I've done for life-critical systems have I ever seen the development process rise above this level as company policy.

But on what basis can you assert that this isn't also the case for any given chunk of proprietary software? The point isn't ``Can some Free Software be bad?'', it's ``Is this piece of proprietary software good?''

We can have no knowledge which allows us to assert that one particular proprietary application is any better than another. With Free Software, you can at least see and avoid the bad examples.

--


        Best wishes,


                Max Hyre

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds