On Sep 7, 2013, at 9:39 AM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote: > Nor does being open source provide any additional security, only review provides security and it is hard enough getting people to review other people's code when you pay them to do that. Expecting people to spend their time reviewing other people's code for fun is naive. Kerberos had a major architectural flaw that went unnoticed for over a decade. On the contrary, I used to suffer through security audits on ISC DHCP code back in the day; people were doing this entirely on a volunteer basis. I think it's incorrect to suggest that open source code doesn't get audited, and indeed it's likely that it gets audited more thoroughly and more usefully than a lot of closed source code. It really depends on the setting. My own company sells closed-source code; Andrea asked me the other night whether I thought there might be something scary in the code. I thought about it, and concluded that it was unlikely, because we have a very small, tight team, and everybody sees all commits. I think it would be difficult to suborn our code without everyone on the team knowing about it, and knowing who is on the team, that would quickly be the rest of the world. An open source project with a less tight team, or a completely suborned team, might be far less trustworthy. But another closed-source project might be far worse, if for example the repository were so big that nobody watched all commits, and the set of committers so large that it would be easy to suborn one of them. I think the only rule you can go by here is caveat emptor, whether the code is open or closed. You need to actually figure out who you are doing business with. As for compilation versus source, that's a real issue, but open source is a clear win here, because you have both the input and the output, and you can compare them. Here, an open source project with a clear build process that is replicable is a huge win over one that is complex and wonderful and non-replicable. Knowing quite a few of the latter, I hope to see improvements that some increased paranoia might yield as people flock to the more verifiable builds, and the projects with poor build processes fix them.