[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, Apr 10, 2014 at 11:07:32AM +0100, Philip Hudson wrote: > What Heartbleed means for Free Software -- Sam Tuke's blog > https://blogs.fsfe.org/samtuke/?p=718 I've not seen anyone use Heartbleed to slag off free software, which is nice. And the article makes a number of good points. But it's also written with the FSFE's agenda in mind, and in doing so, it missed the point a bit. "Microsoft last year admitted to sharing details of vulnerabilities in their software in secret before they were fixed, leaving their own customers exposed to exploitation." Details of Heartbleed were shared in secret before they were fixed. Linux distros were told about it, as was CloudFlare and a few others. I don't know if the NSA was informed. Given that they're also tasked with defending networks, it would make sense, but given their current reputation, it's probable no one told them directly about it. But of course they learned about it - if they didn't already know. Mind you, the fact that vulnerabilities were shared "in secret" at first is a good thing. As is the fact that Microsoft does the same when it comes to vulnerabilities in its products. "What prevented this bug from going undetected for another two years? Heartbleedâs discovery took place during review of source code that wouldnât have been possible had OpenSSL been proprietary." I'm not very optimistic about code reviews for proprietary software, but when non-free software is so widely used as OpenSSL is, I kind of think a vulnerability as serious (and as relatively trivial) as this one would have been picked up earlier. "Heartbleed demonstrates that Free Software encourages independent review that gets problems fixed." Yes. After two flipping years! I do think it's great that OpenSSL is Free Software. But when it comes to such complex (crypto is complex) and such widely used software packages, the difference between "anyone can check the source code" and "people will check the source code" is big. And that's a big problem. We shouldn't blame OpenSSL's developers though. Or even Free Software. But perhaps we should blame those large user who use OpenSSL for free, without spending a penny on code reviews. A point also made by the developers of OpenSSH (note the difference) in the final paragraph here: http://www.openssh.com/ Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq