Who’s checking the code? Security of open source is being questioned

Many people, including me, have frequently preferred open source software to commercial software when given a choice. Now that may be changing.

“For too long, the software community has taken comfort in the assumption that open source software is generally secure due to its transparency and the assumption that “many eyes” were watching to detect and resolve problems. But in fact, while some projects do have many eyes on them, others have few or none at all.”

Kent Walker

President Global Affairs & Chief Legal Officer Google & Alphabet


Since a picture is worth a thousand words, here is how xkcd envisioned this situation:

As a big proponent of open source software, a lawyer who’s served as a volunteer as a Linux Foundation working group (Software Package Data Exchange), and someone who’s published some open source software (date-time-tools library), I don’t fully buy this argument. I can’t fathom the possibility that open source software is less secure than proprietary software, and it seems generally the case that the opposite is true.


That xkcd hits the nail on the head in the physical world, too. I watched a laboratory descend into chaos as their lab manager left without training anyone on how to maintain a set of macros used to automate data that was widely used throughout the department. She wasn’t selfish about it, she’d just built and maintained them with maybe 15 minutes of work a week and assumed everyone in the department could do it too.


Mr,Walker’s remarks, while arguably true, don’t change anything. It’s obvious that some projects receive more attention than others, and that any given project receives more attention at certain times during its lifecycle, and little or none at other times. This has always been true, and will always be true, but that doesn’t change the fundamental natures of open source vs proprietary software.


Well said.

(Happy New Year… Have a nice weekend…. 20 chars)

Anyone who thinks open source software is secure by virtue of it being open source is an idiot.

Anyone who thinks closed source software is secure by virtue of it being closed source is an idiot.


I think the “more secure” claim of FOSS relies on a sense of altruism in the community, and there’s less of that than would be required for the claim to be obviously true.

But that doesn’t mean it’s obviously false, either.

Big companies with closed source projects can go years without fixing breathtakingly obvious bugs. Just look at the many known flaws in macOS for example. We generally believe Apple is pretty responsive regarding security issues, but how many minor (not newsworthy) security issues could there be that we don’t even know about that Apple isn’t addressing because they’re not important enough yet?

Either way, it seems to me that it’s about how many people are actually working on the code, and their priorities.

1 Like

Unfortunately what’s changed is now individuals and/or groups are actively introducing vulnerabilities in open source code. These “supply chain attacks” increased 650% in 2021. For example two or more changes are introduced into a project, perhaps at different time. Neither are dangerous individually but they create a backdoor when used together.

I’ve been out of the game for a few years, but given what’s going on now I would be very cautious when updating any code on my servers that hadn’t been recently vetted.


Huh, I don’t really think about FOSS increasing or decreasing security. I prefer it because of futureproofing: if an app makes changes I don’t like, or changes their business model, or stops updating, I can always fork it and maintain it myself. I can also contribute towards features I want to see added and give back to the dev that way. This is why I read much of the code when choosing FOSS apps, and usually don’t give them preferential treatment if they’re written in less-common languages or too complex for me to maintain myself (e.g. I don’t care that my browser, Vivaldi, is closed source, because I wouldn’t be able to maintain a FOSS browser anyway).


It seems the gov is trying to play both sides.
At least the theater of wanting more secure open source software, while simultaneously wanting vendors to add back doors to their software. (A bit of “it’s okay if we’re doing it”.)
Then there’s closed source, like Flash Player

And (I haven’t read transcripts) that’s not to mention the security of firmware, hardware and programmable logic (FPGAs). Huawei comes to mind.

Absolutely no snark intended - is this something you’re actually capable of doing?

I’m a programmer, but my skills aren’t in the areas that generally apply to (for example) the Linux kernel or the major systems programming stuff. I couldn’t code an OS, or write a compiler.

And a number of the people I know who advocate Linux and such for FOSS reasons would be far less capable than myself.

Nothing against FOSS - I use plenty of it. I’m just wondering how much water the arguments would hold if we pushed them.

1 Like

I think we could say that about pretty much any article relating to the government, without even having to read it first. :smiley:

1 Like

Don’t sugar coat it Chris, tell us what you think. :grinning:


By far the most devastating supply chain attack thus far was introduced through the closed source SolarWinds Orion software.


That, and the human element is a big factor too. The big issue with the oil pipelines a ways back was a compromised password on an insecure VPN, and from what I read at least one place the security practices were bad enough that employees who actually noticed what turned out to be the breach didn’t report it properly.

I mean…secure software is great. But non-trained employees, bad security practices, and stuff like that need to be addressed at the same time.

See here:

I’m not capable of maintaining things like OSes or programming languages either, but web apps, small CLI utilities, and not-too-complicated desktop GUI apps are fine.

Oh, and another reason I like open source is because I can crack open the code of a tool I use and learn how the devs made it the way it is. Learned a lot that way.

I’d argue that in any case, open source would be at worst equal to closed: there’s either someone who would fork it and maintain it, or it would be left to die the same way closed source software would.

Incidentally, this is one reason why I’m working on building more of my own software, inspired by this article.


Ah the eternal open vs closed source debate. I love it, it’s as regular as daisies in the spring. Adorable. Well, since I’m already here…

The problem with all software is and always has been economics. Lots and lots of open source software starts as a passion project and is eventually abandoned because the developer loses interest in it. Why does the dev lose interest? Lots of reasons, but mainly because they can’t make a living off of it.

If they can make a living off of writing open source code, then it’s because there’s a company with a business plan that depends on this software sending money their way. I’d say this is the exception rather than the rule.

The very best software comes from independent developers building their passion project and then selling it to continue allowing them to spend their time building their vision. This is the best combination of high quality software and a sustainable economic model. See BBEdit, MarsEdit, Transmit, DEVONthink, iA Writer, MindNode, Hazel, etc… These business models aren’t viable as open source.

So, when it comes to security, again I look for software that’s well maintained, well funded, and has a reputation for high quality. The more love and attention a developer can put into their project, the better that project will be. If the developer is incentivized to continue developing the project they’ll make sure that its bugs get fixed and security issues taken care of.

If they aren’t… they won’t.

It’s not so simple these days. Most software is a mix of open and closed. For example, macOS was derived from FreeBSD and still shares some important code from there. I’m sure most of the servers in Apple, Google, Facebook, etc use tons of open source software. Python is one of the most popular languages these days and it is entirely an open source project. As a matter of fact, the founder of Python now works at Microsoft!

A related problem: Developers of open source are often doing unpaid labor, and often businesses will then profit from that labor.

Often, the businesses that profit from open source will employ developers to work on those projects, but that practice is not universal.

Web3 claims to be designed to solve this problem, but I am skeptical.

1 Like

So am I. A decentralized system with everyone running their own servers? That doesn’t sound like something that would attract the attention of a ton of billionaire investors.