I am concerned that Mr. Jones's column of February 11th, "Open Source is Fertile Grounds for Foul Play
," indicates a significant misunderstanding of open source development processes. The argument presented is that all software development carries the risk that malicious code will be inserted by insiders, and that open source is especially vulnerable because more people are insiders. The first part is absolutely true, and applies to both closed and open source development as Mr. Jones acknowledges, but the second part does not stand up to scrutiny.
|If a consumer buys either open or closed source software from Bob's Back-Alley Software and Pawn Shop, well, it's a bad idea either way.|
Most open source projects have only a small group of "core developers" who have the ability to modify the official source code, just as is the case with proprietary software development. Any malicious person could insert destructive code into his or her own copy, but not back into the official version. That leaves the possibility of intentional compromise by the core developers, or by subsequent distributors. The first is a risk, but less so than with proprietary software: The number of people in a position to corrupt the source is similar in both models, but the possibility of outside review reduces the danger for open source software. Mr. Jones posits that core developers could avoid such scrutiny by not making the corrupted version public, but this is nonsensical: The version of the source code available for use is by definition also available for review.
The other concern raised is that distributors who repackage open source software could add vulnerabilities. Again, this is possible, but no more so than with proprietary software. It's easy for an attacker to add malicious code to compiled binaries; indeed much pirated software is reported to contain viruses or Trojan horses. For both open source and proprietary software, the solution is the same: Be careful who you get your software from. Downloading open source software directly from the public sources or buying a packaged version from a trustworthy distributors is no riskier than buying, for example, Windows directly from Microsoft or a system integrator such as IBM. If a consumer buys either open or closed source software from Bob's Back-Alley Software and Pawn Shop, well, it's a bad idea either way.
Open source is not the security panacea that some advocates make it out to be, but it doesn't incur the added risks that Mr. Jones attributes to it, either. A government or other user who applies common sense to its software acquisition is no more at risk from open source software than closed source, and may even be a bit safer.