undefined | Better HN

0 pointscassianoleal4y ago0 comments

There's also the matter of traceability.

Even if there is no direct audit of the code, once a vulnerability is discovered it can be traced back to the person(s) who introduced it.

With a closed system, only the owner of the source code history can do that. With open source, any person in the world can, and can start a discussion to understand whether it was malicious or not, if the person(s) should be banned from pushing code, new code security standards to be adopted, etc. You lean on the world's expertise at that point.

Bad things happen. It's important to have the ability to understand why and mitigate for the future.

0 comments

pjmlp4y ago

Nope, it can be traced back to a random nickname on the Internet, using a computer somewhere in the globe.

cassianolealOP4y ago

That may be so, but it's usually been through code reviews, pull requests and whatnot - which means a maintainer somewhere has approved that code.

In any case, "a random nickname on the Internet, using a computer somewhere in the globe" is a lot more information than none.

Finding out that that's the case for a given project is part of traceability.

pjmlp4y ago

How do ensure it wasn't a malicious maintainer?

That information is meaningless if traces back to an empty room.

1 more reply

Traf4444y ago

I guess you have never had commit rights to any Linux distribution or such?

You don't get commit rights as a random person, so yes, a commit can usually be traced back to a person. Sure, the committer could have received a patch from a unknown person, but then he's still responsible for the commit.

pjmlp4y ago

I guess you are a security expert that knows how every single FOSS project that might be used as dependency works.

1 more reply

j / k navigate · click thread line to collapse

0 pointscassianoleal4y ago0 comments

There's also the matter of traceability.

Even if there is no direct audit of the code, once a vulnerability is discovered it can be traced back to the person(s) who introduced it.

Bad things happen. It's important to have the ability to understand why and mitigate for the future.

0 comments

pjmlp4y ago

Nope, it can be traced back to a random nickname on the Internet, using a computer somewhere in the globe.

cassianolealOP4y ago

That may be so, but it's usually been through code reviews, pull requests and whatnot - which means a maintainer somewhere has approved that code.

In any case, "a random nickname on the Internet, using a computer somewhere in the globe" is a lot more information than none.

Finding out that that's the case for a given project is part of traceability.

pjmlp4y ago

How do ensure it wasn't a malicious maintainer?

That information is meaningless if traces back to an empty room.

1 more reply

Traf4444y ago

I guess you have never had commit rights to any Linux distribution or such?

pjmlp4y ago

I guess you are a security expert that knows how every single FOSS project that might be used as dependency works.

1 more reply

j / k navigate · click thread line to collapse