SoylentNews is people
SoylentNews
The European Union will foot the bill for bug bounty programs for 14 open source projects, EU Member of Parliament Julia Reda announced this week.
The 14 projects are, in alphabetical order, 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2.
The bug bounty programs are being sponsored as part of the third edition of the Free and Open Source Software Audit (FOSSA) project.
EU authorities first approved FOSSA in 2015, after security researchers discovered a year earlier severe vulnerabilities in the OpenSSL library, an open source project used by many websites to support HTTPS connections.
(Score: 2, Insightful) by MostCynical on Sunday December 30 2018, @10:30PM (5 children)
Can't find the -1 you're a moron mod.
Very few "billion dollar companies" have managed to get themselves away from proprietary software.
Open source means more secure, means anyone can fork, means anyone can use, means lots of things that aren't bad.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by fyngyrz on Sunday December 30 2018, @10:45PM (4 children)
No, it means more open; it does not mean "more secure." It just means someone outside the corp can look as opposed to only someone inside, and it still doesn't mean they will look, or having looked, will find, or, having found, will fix what they found or report it. Further, the source being open means that the black hats can look — and act — if they want to as well. So it's just not a clear "more secure."
Depends on the license. There are quite a few levels of this, including "your changes must be open", which is anathema to many businesses, as it means that effort they pay for does not only accrue to them. Business 101 teaches "don't enable your competitors", and for very good reason.
Agreed (and in fact, I've done a fair bit of open source, plus some non-open, but free.) But it also has two sides, like everything, I suppose. It's just not a clear cut case of "open source is always better." It comes down to what the goals are.
And frankly, if you want to make a living at writing software and doing it well, open source is a blind alley. If you write reliable, secure code that is well documented and solidly addresses the problem you're trying to solve, there's no percentage in the "support" vector, either. If, OTOH, you write lousy code, and/or lousy documentation, and/or software that is still missing significant functionality, yeah, you can charge people to "fix" that if you can get them to use your stuff in the first place... but that's not really how to create good software, is it?
--
They said: "You weren't listening, were you?"
I thought: "Isn't that a weird way to start a conversation?"
(Score: 3, Insightful) by maxwell demon on Monday December 31 2018, @09:01AM (3 children)
With closed source software you have to trust the sole provider to not put anything in that you don't want. With open source software, you have the option to either look for yourself, or to pay someone whom you trust to do it for you.
Which is a big deal, because the goals of someone outside the company providing the software likely has different goals than the company, while someone inside that company is bound to act in the interest of that company.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by fyngyrz on Monday December 31 2018, @04:44PM (2 children)
Same with open source. Have you read every line of every bit of open source you've ever used? Even if you have, do you think everyone has? Do you think they all understood what they read? The argument that "it's open, so it's safer" depends on underlying assumptions that are very rarely true.
The option isn't the fact.
Again, extremely rare. Particularly in a community that is biased so strongly against paying for any aspect of software. OTOH, the business who writes closed source software is already paying someone to look into the issues that concern it; and security issues are becoming more important as liabilities stack up against these operations.
Step back for a moment and think about what those interests are:
It appears — to me — that accomplishing the above requires attention to problems.
Now consider the open source authors. Suppose the thing doesn't work right. They're not making any money. They are, presumably, doing something else to make money. So where do their priorities lie?
For instance, take the Rocketchat developer install. [rocket.chat] It straight-up doesn't work. I've had problem reports in to them for months now. No response. I mean no response. Zero. Zip. Nada.
Or, take the Qt [www.qt.io] project, which is interesting because it's both open source and commercial. You'd think that'd give them the best of both worlds, right? Motivation to fix, because they are making some money, and all those eyes helping out.
But no. That project is as buggy as a New York slum apartment. Crashes, serious memory leaks, APIs with holes in them you could drive a big truck [youtube.com] through. It has been since version four. Report bugs, they often don't get fixed. The project is either too large for them to address the problems with the people they have available, or they simply don't care, you decide. But the bottom line is, the thing is broken all over the place. Believe me, I know; I've been using Qt since version 4.6.
Now magnify that times no financial motivation. Ouch.
Still, overall, they fix more than, for instance, the rocketchat people do.
Look. I'm not saying all open source is buggy and non-fixable. It's not. I'm also not saying corporations are the only way to make good software. I'm just saying that one the one hand, there are accountable motivations; and on the other, there aren't. The evidence shows that corporations are not entirely bad at software. It also shows that open source folks are not entirely good at software.
My conclusion is that neither way is optimum, and a fan of either way is really not in a position to cast any stones.
--
Calculus... the agony and dx/dc.
(Score: 1) by khallow on Monday December 31 2018, @06:40PM
Or burying problems so the customer doesn't hear about them. Conflict of interest is a thing.
(Score: 2) by Pav on Tuesday January 01 2019, @12:33AM
Do you work in I.T?
Commercial providers (unless they have a ready fix) ALWAYS DENY a problem is known, or that anyone else is having the same problem... it's INDUSTRY PRACTICE! I've even been gaslighted in this way EVEN WHEN I'd spoken to other customers who had confirmed the problem (and also said they'd been given the same runaround by technical support). Free Software people are easy to deal with in comparison, and if there are no resources to quickly deal with a simple problem one can deal with it oneself.