I don't think you understand what 'anecdotal evidence' means...

Also you are trying to make points I'm not making or twisting/misunderstanding the ones I am.

As such I'm out.

Ah, and now you are being condescending, nice nice...

And also; wrong.

IF I had said something along the lines of "I've heard of this one problems with open source software so all open source software must be bad" you would have a point.

I didn't.

I cited a time period "recent security problems" and gave specific examples as to what I was talking about.

I did not expand this to state 'all open source software is...' in relation to my claims, I restricted my point to a very specific subset of known problems which have been reported in the wild.

This is not an acecdote, this is a set of 3 cited examples of when open source software has caused large security problems.

The logic is easy to follow... or maybe I'm just that much smarter than you, I dunno... but the point is, nope, you are wrong and by trying to attack the message instead of the facts I pointed out you are showing that you have no point to be made, instead you are simply trying to discredit in order to make you own position felt safer.

So, as I said, I don't think you understand what anecdotal evidence is.

But thanks for playing.
Better luck next time.

This is not an acecdote, this is a set of 3 cited examples of when open source software has caused large security problems.

Here's the problem with your argument: Open source software didn't "cause" these security problems.

You cited three isolated examples of when there were bugs in open source software, and then implied that Open source software has more bugs and is worse than proprietary software. And you then went on to say that "Open source software ... caused large security problems", which is obviously untrue.

The only person arguing about number of bugs between OSS and proprietary software is you. Not a SINGLE time has Phantom said anything about differences in bug counts in this entire thread. He's been pointing out, rightly so, that OSS has had some serious problems. He has been arguing that you shouldn't just blindly trust OSS. You're attempting to put words into his mouth by reading his responses and seeing whatever you want to see.

The articles that you have linked to are not peer-testable. If you can find ANYWHERE on Coverity's site where they list which proprietary projects they analyzed for their report, please link it, otherwise I am calling bullshit; It is blatantly clear that Coverity has a vested interest in promoting OSS for its own financial gain. "Studies" can be written to say whatever you want them to say, but if nobody else bothers checking to make sure you did the study correctly, nobody's going to call bullshit either. People who already agree with what the study says are unlikely to challenge it. Ironically this is the exact same behavior seen in OSS: The vast majority of OSS users just want to use the software, and aren't going to bother investigating the code in detail unless they personally encounter a bug. If there's something intentionally malicious in the code, you don't know what to look for.

Security researchers actively looking for exploits (not typical source-code-level flaws like what Coverity appears to advertise) seem to be the only ones bothering with deep investigations of software, but these people are smart enough to do it regardless of OSS/proprietary-ness; as long as the researcher has code or executable, they can begin investigating.

Here's the problem with your argument: Open source software didn't "cause" these security problems.

Then how you would explain it then?
When 3 large security flaws are found in 3 pieces of open source software? (or 2 pieces of software if you want to bundle the two Android problems together).

As the topic is well and truly derailed at this point...

In my view, the difference is that the library is already potentially well debugged, potentially reviewed by others.

Given the option between "use an existing widely used, widely trusted, publicly reviewed library for secure networking " or "build your own library for secure networking and hope for the best", I'll take the first. When the new bugs are identified (they will continue forever) the fixes can be easily integrated into my code.

Sure, my system will suffer from the same homogeneous defects. But I'm okay with that because I won't be alone in the error. And because I know I saved a ton of time and effort and bugs by using the standard implementation. And because I know I can just drop in whatever fix the community creates with almost zero work.

When the first few systems came out saying "Our system is affected by heartbleed" a few people reacted negatively. When it was discovered the problem was universal, people really stopped caring. It is just a bug that affects everything before a certain date. There are a huge number of bugs like that.

Open source solutions mean we can simply download the patch and recompile if we choose, rather than having bugs discovered in closed-source projects that are impossible to ever update. You can patch and update your product in the open source world when defects are found. It may not always be easy, but it is possible. In the closed source world you are entirely at the mercy of the vendor. You may know full well that a product has heartbleed in it, but since you don't have the source and the company discontinued it or went bankrupt, you are stuck with the bug.

Open source solutions mean we can simply download the patch and recompile if we choose, rather than having bugs discovered in closed-source projects that are impossible to ever update. You can patch and update your product in the open source world when defects are found. It may not always be easy, but it is possible. In the closed source world you are entirely at the mercy of the vendor. You may know full well that a product has heartbleed in it, but since you don't have the source and the company discontinued it or went bankrupt, you are stuck with the bug.

I agree in that I wouldn't write something myself, though I see most of the same things happen regardless of OSS/Proprietary status.

Here's what happens in my experience:

- Closed source project stops being maintained. Users migrate to a different system or decide to "ride it into the ground". Insane users might reverse-engineer it (doubtful).

- Open source project stops being maintained. Hardcore users might fork the repo, but most users are not going to want to maintain something themselves. They're going to "ride it in" if bugs haven't yet been found, or migrate to a different system as well (or perhaps use the fork if they're lucky and someone wants to continue maintaining it). If a bug comes up, I sure wouldn't trust myself to go in and fix some open source code. Hell, I can't even read 99% of it. It would take less effort for me to migrate to another similar project than it would be to fix the bug myself.


It's nearly the same experience when each kind of project is being maintained: Both provide regular patches based on how critical the issue is and the skill/motivation level of the maintenance team.


You're always at the mercy of someone else, just at different levels of inconvenience.