[csw-users] Concerns about the safety of OpenCSW packages....

Christian Walther cptsalek at gmail.com
Wed Nov 24 23:29:37 CET 2010


Hello Mohamed,

On 24 November 2010 20:30, Mohamed Lrhazi <lrhazi at gmail.com> wrote:
> Hello all,
>
> Could you share some arguments you might have used, or would use, to
> answer a management argument against OpenCSW in the form of:
>
> - How do we know nothing bad has been added to these packages you want
> to install on our servers?

Well, IMO you basically don't know if something bad has been added to
these packages. But this is not a Open Source or OpenCSW specific
problem, because you can't be sure what you download from any remote
server if you take security to this level. The only way to be sure
that nothing bad is in any software package would be to download and
audit the source yourself. And OSS is the only type of software that
allows you to deeply analyze the code, because close source provider
just deliver binary blobs that can't be analyzed, or you might even
risk breaking several laws ("reverse engineering").

Big names don't help here either, because as a user you can't be sure
if any of these big companies have a deal with some security agency,
resulting in installed back doors. It was in the news often enough
that the NSA wanted something like this, for example. Of course such a
backdoor could be exploited by some malicious cracker.

Even if we take it for granted that no company would do something like
this we can't put too much trust in publicly available servers,
because these servers could be compromised and the served contents
changed. Even checksums won't help much, because there's no guarantee
that the system responsible for creating those hasn't been cracked as
well...

> - Who is this OpenCSW anyways?

An OSS project just like many others, trying to deliver some usefull
packages for a fantastic Operating System, thus increasing
productivity and usability I would say. ;-)

> Another question I have is: Does anybody know if Redhat audits all the
> source code of all the software they ship to their customers?

I pretty much doubt it. The amount of packages available from RedHat
is IMO to high to be thoroughly audited. They probably have some QA
which keeps track of known (and exploitable) bugs so that these can be
squashed ASAP. Basically the power of OSS is the community: Because
famous packages (Gnome, KDE, OpenOffice et. all.) are installed of
hundreds of thousands of systems probability is high that a bug or
security issue is found and reported before anything bad happens. From
what I gather the amount of "zero day exploits" for OSS is pretty low.
Additionally many people in the OSS scene are skilled enough to either
trace a bug down to a specific piece of code, or even provide a patch
to both the community and upstream.
The benefit here is on all sides: Every user skilled enough can apply
the patch directly, while the average user can (or has to) rely his
distribution to provide an update.
While there are exceptions to the rule most security related bugs in
OSS are fixed faster than their close source counter parts.

> Does Oracle/Sun/Novel and others, promise that? How does trust work in
> the Open Software  world?

This is an interesting question, and I guess that reading licenses or
the fine print in support contracts could help here.

Trust is a good point in the OSS world. If money* is not an option all
you have is trust -- and credibility. This involves both the
development and distribution. If a project would mess up badly,
chances are high that it would loose it's credibility. Loosing users
would be the result.
That being said you have to trust the package maintainers not to do
anything bad, and the sysadmins that they know their work so that the
servers are secure. But you have to trust the thousands of Microsoft
developers and their sysadmins in pretty much the same way.
It's merely a coincidence but I think about Microsofts own IPv6 tunnel
service that was able to get through company firewalls rather
unnoticed, risking the safety of entire corporate networks.

Normally you don't install an untested product on production machine,
but on some dedicated environment. Take your time to test it, and if
it doesn't break anything you can be pretty sure that it works as
expected and that it's safe for production use.
Reading security related mailing lists, websites, or using services
like Secunia is advised as well, to keep up to date with security
issues in *any* product, OSS or not.

HTH
Christian

*) I think it's a good idea to keep in mind that many licence
agreements and terms of services of close source software products
very often boil down to something like "pay much, but don't expect
anything, including warranty".


More information about the users mailing list