Networking equipment is one of the last bastions of technology where opaque, proprietary, closed-source hardware continues to thrive. This opacity—combined with networking equipment functioning as the backbone of enterprise computing—creates a fertile breeding ground for fear, uncertainty, and doubt to proliferate. As a result of this, Huawei has spent nearly a decade embattled by accusations of spying for the Chinese government, and since May, a blacklisting.
[...] There's an aphorism named "Linus's Law" which states "Given enough eyeballs, all bugs are shallow." This plausibly applies to Huawei's circumstances: Publishing the full source code to Huawei products is a simplistic—and maximalist—way of dealing with security vulnerabilities and undercut accusations of spying that have plagued Huawei for years.
Opening Huawei products to third-party scrutiny would—at a minimum—surface situations where third-party open-source libraries are not being properly updated, if not allow security researchers the ability to identify vulnerabilities in Huawei-developed code. Such an initiative could also be used to create a shared build platform, making security updates easier to deploy across different device models.
(Score: 3, Insightful) by hopdevil on Thursday August 08 2019, @10:39PM
Open source is a double edged sword when it comes to security. You hope more people honorably look at your source code and report vulnerabilities than those that will exploit then. In truth this model needs more of an active community of developers than security folks. I don't think that is Huawei's business model.
Besides, binaries are easy enough to reverse engineer. When you have hardware based hidey holes, it is unlikely anyone but a government sized budget will find you.