LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

It's a problem of incentives

It's a problem of incentives

Posted Feb 5, 2004 17:59 UTC (Thu) by mrfredsmoothie (subscriber, #3100)
Parent article: Needed: code auditors

The article, hits on 3 points which serve well to define the real issue here:

  1. "[In the Sardonix project, s]ufficiently skilled and productive auditors would be able to accumulate a large 'audit karma' to show their friends."
  2. "with all those eyeballs on the code, security problems are found and fixed quickly ... [but]fewer people are actually looking at code than many of us would like to believe"
  3. "the black hats are already doing this work for their own purposes"

I look at a lot of open source code. But, as ESR has said, we do OSS for a variety of reasons; scratching an itch, "establishing a rep," etc. I generally only look at OSS code because a) I'm using it (or want to), and b) it isn't working/won't work on my hardware/I want to extend it, and need to understand it.

I do OSS in my spare time. So, for me "'audit karma' to show [my] friends" is not significant enough incentive to do security auditing, which, as the author acknowledges, is thankless, difficult, error-prone and time consuming.

For "black hats," while this type of code inspection may be difficult, error-prone and difficult, it's probably not "thankless;" they will get root on your box/steal your credit card #, etc. They have a concrete incentive.

Fix the incentives (i.e., Sardonix could have used a little bit of that DARPA money, or OSDL could set up a fund, etc. to actually PAY users to do this type of work), and you'd be much more likely to see active participation. After all,isn't this just the kind of "services on top of OSS" new business model we're always hearing promoted?

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds