undefined | Better HN

0 pointsSomeone123411y ago0 comments

> Most of the people that dismiss the security advantages of open source either don't understand them or are trying to sell you some closed source code.

If you wish to imply the issue is due to my lack of understanding then go right ahead, but at least first explain why what I said is wrong.

A lot of people get their apps from the app stores on Android/iOS/etc. App stores do not provide the raw source and let you compile it last time I checked. So in order for OSS to provide a security advantage over closed source you'd have to sideload your apps after doing the inspection and compilation stages yourself (or having a trusted third party do it).

People throw the "open source so secure" justification around all the time, it is rarely justified. Really you aren't trusting OSS, you're trusting third parties who inspect the code on your behalf (e.g. distro' vendors in the Linux world). In the app world there are no third parties doing the verification step for you, unless you count Apple.

0 comments

JohnTHaller11y ago

As a general rule, you're trusting both the publisher and 3rd parties that can verify the code makes the build.

An app store can easily provide a binary that can be verified by 3rd parties. Again, it's more about others being able to verify it rather than you being able to build it yourself. And the publisher can provide the source via another means to all interested parties.

App stores aren't the best example since it's mostly closed source games and social apps... think Candy Crush and Facebook. On Android, I run many apps that have the full source code available like Firefox and KeePass. Quite a few public eyes are on apps like Firefox, including on the build system. Most real work and real apps run on desktops and laptops where you don't even have the limitations of the app store to worry about (though you do moreso with each build of Mac OS X).

Saying 'both types of publishers can lie!' is a bit of a false equivalency. On the open source side, you have deterministic builds. And, even without verification, open source is a big advantage over closed source. Others can look through the code to see how it works. Verify that security elements are properly implemented. Submit fixes to such elements. Even see how it works in code to ensure you have more complete testing of the provided binary and have an easier time knowing if something that wasn't in the code was added, since the binary is doing something it shouldn't be based on what the code says. You get no such benefits from closed source code.

j / k navigate · click thread line to collapse