LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: Embedded and Mobile Linux

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Looks like speculation

Looks like speculation

Posted Apr 9, 2008 14:13 UTC (Wed) by nix (subscriber, #2304)
In reply to: Looks like speculation by epa
Parent article: Freezing More Than Bits: Chilling Effects of the OLPC XO Security Model 

Their complaint about openness (their first complaint, actually) was laughable. They complain
that the spec isn't open because a) it's not finalized (that's because it's still changing,
duh) and b) it hasn't been submitted to a 'recognized standards body'. Under that definition,
Linux, Perl, Python, GNOME and KDE are not 'open', and indeed neither are most useful C
compilers because the language they implement (ISO C + bugs + language extensions) has not
been submitted to a 'recognized standards body'.

I think we can agree that this definition of 'open' is worthless.

(Log in to post comments)

Looks like speculation

Posted Apr 9, 2008 14:14 UTC (Wed) by nix (subscriber, #2304) [Link] 

Also, note that once specs are submitted to a recognized standards body, it's because they're
*done* and hardly expected to change anymore. I've got a word for a spec like that, which you
can't change. It's 'closed'.

Looks like speculation

Posted Apr 9, 2008 14:56 UTC (Wed) by rfunk (subscriber, #4054) [Link] 

That's not true at all.  Open standards get revised all the time.  For 
example, the standard for Internet email, RFC 822, was later revised, with 
the revision becoming RFC 2822.  And that's just one that hasn't changed 
very much.

The openness of a standard is about how free people are to implement it, 
not about how easy it is to change.

Looks like speculation

Posted Apr 9, 2008 14:59 UTC (Wed) by rfunk (subscriber, #4054) [Link] 

Er, I should also note (before someone else does), that not all RFCs are 
officially considered standards, and that when they are considered 
official Internet standards they get STD numbers that few people actually 
bother to remember (since they've already been busy implementing the RFC).

Looks like speculation

Posted Apr 9, 2008 16:24 UTC (Wed) by nix (subscriber, #2304) [Link] 

Yeah, but you don't generally submit something as an RFC while it's still under heavy change:
they go through draft processes first. Under the definition of 'open' used in this document,
that wouldn't be open yet because the standards body hadn't accepted it!

(And submitting something to a standards body is neither necessary nor sufficient nor anything
more than indicative that people are free to implement it: notably, you can have things which
people are free to implement which are not standards, perhaps because all the code is freely
available. You can also have things which are standards which are in practice unimplementable
in full, perhaps because they're huge and somewhat ambiguous like CORBA or C++, or because
they're just too limited to be useful, like the earlier SQL standards.)

Looks like speculation

Posted Apr 11, 2008 13:36 UTC (Fri) by DanWeinreb (subscriber, #51526) [Link] 

When we are talking about security, and saying that it's important for security software to be
"open", what we mean by "open" in this context is that anybody should be able to see how it
works.  You want it to be inspected by experts.  Most important, you want to avoid "security
by obscurity", which experience has shown is a bad principle.

So whether it is standardized by a standards body has absolutely nothing to do with the case.
If a new version comes out, of course that needs to be re-examined and re-audited.  And if no
finalized version has come out yet, that just means that it's not time yet for final auditing,
but it's a great time for the public to point out flaws and suggest improvements.

Some of the papers on Bitfrost are written as if Bitfrost were completely specified,
implemented, in use, and so on.  If so, then someone has grounds for complaint.  But they
should carefully complain about just that, NOT that it's "not open".

Standard?

Posted Apr 9, 2008 18:31 UTC (Wed) by ikm (subscriber, #493) [Link] 

Why would anyone submit something like BitFrost to a recognized standards body anyway? It does
not look like a standard in the first place. It's just a design documentation, as far as I
understand. Later in the article they pin it down as being a (de facto) standard — what is so
'standard' about it?

I'd enjoy some good bashing of BitFrost, I've always disliked its trojan essence, but this one
seems to be uncalled for.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds