Re: How regularly is the GnuPG source code examined?
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: How regularly is the GnuPG source code examined?

From: Ari Silversteinn <abcarisilverstein@yahoo.comxyz>
Date: Tue Sep 27 2005 - 20:34:29 CEST




> "Unruh" <unruh-spam@physics.ubc.ca> wrote in message 



>> Yes, but the open source means that the developers know that someone could


>> be looking over their shoulders. Closed source is far far more susceptible


>> to rogue programmers-- noone to check up.



On Tue, 27 Sep 2005 10:16:21 -0700, Alun Jones wrote:


 


> That's a rather empty argument, IMHO - plenty of closed source programmers 


> have to worry about people looking over their shoulders at the source code. 


> There are external audits (particularly of security-related code), formal 


> and informal peer-reviews, and finally the prospect of having to deal with 


> requests for help from technical support, if they can't understand the code.


> 


> Then there are source licences (a great many governmental organisations and 


> businesses won't accept programs that they can't peruse the source to, and 


> they often pay for that privilege).


> 


> Open Source's "many eyeballs" doctrine is a tenet of religious faith, rather 


> than one that's backed up by processes.  Open Source is released and 


> _assumed_ to be looked at by others.  How many people in the world could 


> investigate a crypto implementation and determine if it's secure, safe, or 


> even correct?  Now scratch off all the ones that are too busy working on 


> other things to engage in code analysis for which they aren't paid.  Scratch 


> off all the ones who can't look at other code because it would lead to 


> intellectual property issues.  Keep scratching, because then you have those 


> that aren't aware of, or interested in, your work.


> 


> Eventually, you're left with a pretty small number of eyeballs, one that can 


> easily be exceeded by a medium-sized company hiring out for an external 


> audit.  And when you're paid to inspect source code, you're far more 


> motivated than if you are entirely on your own time, and your only reward is 


> your own interest in the project you're working on (and possibly a little 


> advertising).  Let's face it, code analysis is dull, dull, dull, especially 


> if you're trying to do a good thorough job of it.  Finding someone to do it 


> just because it's interesting is a non-starter.


> 


> Alun.


> ~~~~



What he said. lol



-- 
Drop the alphabet for email


Received on Thu Sep 29 21:58:20 2005