On Mon, 2018-02-05 at 09:39 -0800, Jens Alfke wrote: > > On Feb 5, 2018, at 9:21 AM, Drago, William @ CSG - NARDA-MITEQ <Wil > > liam.dr...@l3t.com> wrote: > > > > The reliable part is easy because there is enough information on > > the SQLite website about testing, but what about security? > > Open source software is more secure than closed source, since the > source code can be reviewed and audited.
It is considered more easy to verify, sure. But there are still some big questions: 1. How do you know the source you're looking at is what you're running? 2. How do you know the source you're seeing is compiled correctly? Look at the buglists for common (*cough* gcc *cough*) compilers. 3. How do you know the CPU you are running on is running the code correctly and that it is secure? Common microprocessor vendors have hundreds of errata for chips still being sold. The only way to know what code is doing is to trace it on the target hardware. We don't need source code for that. And even that could be misleading if the hardware is broken or deliberately subverted. > (In the security field, closed-source cryptographic software isn’t > even taken seriously since it’s not possible to verify its claims, > just as scientific results need peer review and independent > confirmation.) That is true but perhaps closed-source cryptographic _algorithms_ are the issue and not source code. And this is just for reference implementations... you can still verify exactly what you have without source code. It just takes more effort and personally I believe it's more reliable. I don't believe RSA or IBM or any of the other vendors have open sourced any crypto code. I think what typically happens is when they come up with a new standard they produce a reference implementation and then after the contest is over they implement whatever they implement and everybody just uses it. > I don’t know if this will convince your IT management though, because > if they’re against open source they must be remarkably backward... I don't think that is necessarily so. Many companies want/need to be able to point fingers when something goes wrong. And they need to get their systems working ASAP. The vast majority of open source projects have no accountability, they're free as in beer and as long as it works for the guys spending their time writing it they're done. Companies (especially publicly owned and traded companies) really can not rely on freebies and goodwill if they want to stay in business and keep their executives out of jail. Open source quality is atrocious. Sure, a lot of closed source quality is atrocious too. Free stuff should be expected to be worth price paid and most of the time it is not even that. sqlite (and fossil!) are wonderful, wonderful projects. But there is a sea of unsupported garbage out there and nobody who wants to keep their job can feel safe wading through that. There is also the issue of viral contamination of GPL, etc. I think Dr. Hipp did everything right but even so, he is in the tiny minority. /jl _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
