“More eyeballs == Secure code”: But is it just a theory or happens in practice?

10 points

10 years ago

Its one thing to say that "open source is secure because anyone can have a look in the source-code", and its totally different to expect lay users of Linux desktops to head over to the source repos of gnome, xfce, unity, etc. and scavenge the code like professional auditors.

Its the job of security auditors to ensure that this code is safe and doesn't contain any malware or adware, none of the lay users have that kind of expertise. And yet, I was astounded today when I came across a comment on reddit made by a senior xfce dev who says that the gnome project doesn't perform any extensive code audits at all[1]. To quote the user Sidnioulz:

> > Has there ever been a code audit for any of the more popular Linux DEs?

> There might have been for KDE? GNOME does not audit anything as far as I'm concerned. They state they review Shell extensions but the involved process has been discussed on their mailing list and it's essentially a "does the code look nice" review rather than a security audit.

[1] https://www.reddit.com/r/xfce/comments/47eoji/does_xfce_have_a_security_advisory_team/d0d93dk

A senior xfce developer saying this is a matter of grave concern. From what I get from this conversation is that some amount of transparency is needed in the auditing mechanism. In other words, a way to communicate to the lay users that the security audits are taking place all right, and a mechanism for them to ensure the same. This must happen if we want to avoid the next fiasco like that of linux mint. Granted that the mint fiasco doesn't relate directly to the source audits of gnome project, but the larger question here is the importance of security audits. Had their forum software (phpBB) been audited properly, they would have surely avoided a huge loss in trust, PR and reputation.

Moral of the story is: "Make security audits a part of the development process itself, not an afterthought."

5 comments