Why is open source software more secure?
Open source software has long had a reputation of being more secure than its closed source counterparts. But what is it that makes open source software more secure? A redditor recently asked that question and got some interesting answers.
Parasymphatetic asked his question in the Linux subreddit:
So there is a common argument that Linux and open source software is more secure than their windows counterparts. Now, as an open source and total Linux newbie I have the following question: How so?
How do you know that the compiled program you download is exactly like the source code they provided? And does anyone actually check ten thousands of lines of code provided by someone? Do you?
And don't you put the same trust into the people of Valve and Blender like the frowned upon Windows users trust Microsoft?
His fellow Linux redditors responded with their thoughts about why open source software is more secure:
Bushwacker: ”It's all available for inspection. You can build the code yourself, including the kernel. Now about backdoors in compilers, that's another story.”
AiwendilH: ”It's not that opensource software is necessarily better engineered...it is that without the sourcecode it is impossible to see what a program does. So opensource software is seen as more secure as it is the only kind of software that can be checked for security at all without needing to blindly trust someone...everything not open-source can't be checked and by this has to be seen as insecure.”
Daemonpenguin: ”Open source is not automatically more secure than closed source. The difference is with open source code you can verify for yourself (or pay someone to verify for you) whether the code is secure. With closed source programs you need to take it on faith that a piece of code works properly, open source allows the code to be tested and verified to work properly.
Open source also allows anyone to fix broken code, while closed source can only be fixed by the vendor.
Over time this means open source projects (like the Linux kernel) tend to become more secure people more people are testing and fixing the code.
Anyone who makes a general statement like "Open source software is more secure," is wrong. What they should say is, "Open source software can be audited and fixed when its behaviour or security is in doubt."
Does anyone check the code? A lot of people do, especially on larger projects like Linux, the C library, Firefox, etc. Do I? Usually no, but I have done a few audits on code I was running to make sure it worked properly.
I usually don't trust Microsoft or Valve or any other closed source software. And I usually only really trust open source projects that have been proactive when it comes to security.”
Toemme: ”Currently Debian is attempting to get their packages build reproducibly[1] , so you can check if the binary you get is really built from the source code they show you.”
Eingaica: ”Most (if not all) binary distributions compile software and don't use pre-compiled binaries provided by the developers. At least that's the case for free/open source software. Whether you can trust that the binaries you get from your distro are identical to what you would get by compiling yourself is a different problem (see e.g. Debian's reproducible builds project).”
OMGTokin: ”...it is true that you are installing binaries and putting a lot of trust in upstream. Pretty soon as others have mentioned there will be reproducible builds, but luckily for you most software you install has a git repository which will allow you to pull source code to aduit and compile yourself.”
Sendme: ”The level of paranoia you're talking about is pretty far out there. The problem with closed source software as far as security is concerned is that only a few people can view the source code and try to fix it. FOSS has a lot more developers looking at the code so hopefully that yields more bugfixes.”
Tymanthius: ”Here's the thing, unless you're going to back up SEVERAL layers deep to make compilers, you have to start trusting somewhere. Also, there's the plain & simple fact that most of us just aren't that important/interesting to spy on.”
Justcs: ”License does not dictate code quality.”
Whotookmynick: ”...you can't trust any large amount of code for another you can use tools like wireshark, strace etc.
Apple and MS (and valve) are USA based companies, so if their government told them to do something they would have to comply. Another thing is the german government that actually makes trojans legally.
As for personal security beyond that, your router filters out most of the threats unless your computer opens a port itself, you should be fine under linux/bsd X can open one, sshd opens one, vnc, skype/irc/whatever but they have to have vulnerabilities exploitable over a connection”