Open Source Security Question
Penguicon's tech guest of honor in 2007 will be Bruce Schneier, security guru. I was mentioning to Eric Raymond that I will be Head of Programming for Penguicon this year and looked forward to putting Bruce Schneier on panels about viruses, spyware and rootkits. Eric said something to the effect of not being interested in closed source software. I can't remember the exact sentence but it may have been referring to something to do with security programs that people use to protect their computers, such as McCaffrey, Symantec, Norton and so forth. Those are closed-source software.
Bad Windows security seems to affect Linux users too. We don't want to have to live in a world full of compromised botnets that are being used to send us spam.
Here now is the setup to my question.
The reason open source software can be trusted and closed source software can't is that someone can read the code of the open source software to ensure that it's free of spyware and other malware. A computer geek who reads the source code, compiles it, and installs the software can be assured that he knows what he's running.
Those of us to whom source code is unintelligible, and who don't know how to compile software from source code, use pre-compiled installer programs of open source software that we download from the internet. Someone in the open source community has presumably checked the source code of the program, but what about the particular copy of it that we are getting? What's to stop someone from distributing a precompiled installer of a popular open-source program, but altering it to include malware that will compromise the computer? Those who can't read source code would think we had the same program as everybody else.
Is this scenario likely or unlikely? Would it work? Is there anything set up to prevent it?
Bad Windows security seems to affect Linux users too. We don't want to have to live in a world full of compromised botnets that are being used to send us spam.
Here now is the setup to my question.
The reason open source software can be trusted and closed source software can't is that someone can read the code of the open source software to ensure that it's free of spyware and other malware. A computer geek who reads the source code, compiles it, and installs the software can be assured that he knows what he's running.
Those of us to whom source code is unintelligible, and who don't know how to compile software from source code, use pre-compiled installer programs of open source software that we download from the internet. Someone in the open source community has presumably checked the source code of the program, but what about the particular copy of it that we are getting? What's to stop someone from distributing a precompiled installer of a popular open-source program, but altering it to include malware that will compromise the computer? Those who can't read source code would think we had the same program as everybody else.
Is this scenario likely or unlikely? Would it work? Is there anything set up to prevent it?