undefined | Better HN

0 pointsascagnel_4y ago0 comments

> There's nothing about FOSS that makes something secure, and building secure software is so hard and expensive that my guess is that you needs the sponsorship of a government of major corporation to do so. Some FOSS does have such sponsorships, but a lot doesn't

The F/OSS community has a weird collective amnesia about exploits that rubs me the wrong way -- just because someone can look at it doesn't mean that someone is looking at it, or even that the person looking at it is going to fix it instead of exploit it. Heartbleed was sitting out in the open for 2+ years, despite OpenSSL being a very popular package available under a permissive license.

0 comments

tablespoon4y ago

> The F/OSS community has a weird collective amnesia about exploits that rubs me the wrong way...

If you repeat something frequently enough, a lot of people will regard it as true. And a lot of people are extremely reluctant to reevaluate their judgements after they've made them, even in light of new information.

IIRC, the "FOSS is more secure" refrain started in the 90s/00s, when security was an afterthought even at companies like Microsoft and Apple and Linux was unusual enough to fly under the radar when there were a lot of big, high-profile worms circulating. But since then some closed-source commercial software has gotten much more secure, and FOSS has gotten more popular, but remains plagued by important projects that get by on shoestring resources.

j / k navigate · click thread line to collapse

0 pointsascagnel_4y ago0 comments

0 comments

tablespoon4y ago

> The F/OSS community has a weird collective amnesia about exploits that rubs me the wrong way...

j / k navigate · click thread line to collapse