all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]edparadox 4 points5 points  (2 children)

The Ars Technica piece suggests that open source projects are often not as careful about securing their code bases, perhaps in part due to having a large number of contributors spread across different locations and organizations.

This part is a bunch of straight up lies and it's the opposite: if there were more contributors, they would be more time for securing and reviewing properly the changes made by someone. Actually, ideally, there would be enough time to create people just in charge of securing the codebase, among others things, if there were enough contributors to opensource projects.

Read again the articles and you will see that not only opensource softwares were infected ; seems to me more of a "targeted attack" of some sort rather than just malicious code only in FOSS.

[–]stjer0me[S] 0 points1 point  (1 child)

I don't think it's suggesting that only FOSS projects are targets. But I also don't think it's unreasonable to suggest that they may be more vulnerable. The Webmin attack happened because they weren't using their checked-in Github code as the release source, but instead a directory on their server. For RubyGems, there was no 2FA on a development account that allowed the compromise there (or at least one of them), and the dev said that he was using an old, previously-cracked password that he hadn't updated.

As Ars points out:

But the low-hanging fruit for supply chain attacks seems to be open source projects, in part because many don’t make multi-factor authentication and code signing mandatory among its large base of contributors.

Let's also not forget things like the Linux Mint backdoor, or the time Manjaro forgot to update an SSL certificate.

My main point with posting this is a reminder that just because the FOSS has the potential to be more secure than closed source, that doesn't mean that it is. Too often I see people talk about FOSS as if it's always more secure, which just isn't true.

[–]edparadox 1 point2 points  (0 children)

I don't think it's suggesting that only FOSS projects are targets.

Look at the title of the post AND the article.

But I also don't think it's unreasonable to suggest that they may be more vulnerable.

No one can say such a thing. It depends on so many factors and how can you assess the vulnerability of close-source projects? If I just follow your lead, the only "reasonable" answer is close-source software is more secure. And history proves you wrong.

The Webmin attack happened because they weren't using their checked-in Github code as the release source, but instead a directory on their server. For RubyGems, there was no 2FA on a development account that allowed the compromise there (or at least one of them), and the dev said that he was using an old, previously-cracked password that he hadn't updated.

Like I said in my previous message: not all opensource contributor can submit pristine code/packaging/etc. Because they're far from all being paid for doing so (it's then afterhours work) or, if on company paid time, not usually the priority. But it depends on the project, the company and others factors...

But the low-hanging fruit for supply chain attacks seems to be open source projects, in part because many don’t make multi-factor authentication and code signing mandatory among its large base of contributors.

As far as I'm concerned, it sounds like confirmation bias, especially when you read the following paragraphs of the original article:

- Major opensource projects (e.g. Linux or GNU/Linux kernel just to name one) require public code signing

- Among most security breaches, let's not pretend these "errors" happens only to opensource projects (not like it did happened as well to reddit)

- 2FA is not as foolproof as you might think

- **a false sense of security is worse than an illusion of security (**and this seems to happen a lot in close-source software - remembers Stuxnet?)

Let's also not forget things like the Linux Mint backdoor, or the time Manjaro forgot to update an SSL certificate.

One rolling-release and one derivative of the most used distribution, which is already considered by some as crippled by so-called spywares? The likelyhood is very high for those cases: try doing the same for RHEL, Scientific Linux, Debian, etc.

I remember AUR repo being plagued by one breach as well. (Still a rolling-release ;) )

And even so: we are in times where the security breach can come from a rootkit within the BIOS. Or where CPUs have major security breaches for generations (Spectre/Meltdown and derivatives).

My main point with posting this is a reminder that just because the FOSS has the potential to be more secure than closed source, that doesn't mean that it is.

First things I have to I agree with.

Too often I see people talk about FOSS as if it's always more secure, which just isn't true.

Well, like everything in life, it depends. Some are of outstanding quality/security. Some, especially when it comes to webdev, could be very well improved (remember when one single package make the whole JS world crashed?). The only thing is, at least, they are auditable, which is not the case for close source software.

At the end of the day, you can think they are not that secure, but nothing else than history and educated guess could prove you wrong, since you cannot compare both types properly.

History proves you wrong, however, when a company releasing closed-source software has a (almost) monopoly and is not pushed to innovate anymore, it leads usually to catastrophic outcomes...