[ale] [OT] good FREE windisease anti-virus software (Thanx!)

Michael B. Trausch mike at trausch.us
Tue Feb 16 23:49:22 EST 2010 

On 02/16/2010 02:46 PM, m-aaron-r wrote:
> -- The most trustworthy software choices will be those that
> are  OPEN SOURCE, where the author(s) have publicly
> published the source code for their products such that ANY
> programmers, peers or users can readily see if there are any
> serious errors, vulnerabilities or malicious components in
> their programs.  An additional strong indicator that an Open
> Source program is trustworthy is when it is distributed at no
> cost (free) or with payment on the honor system at the user's
> discretion (shareware) or with request that payment be
> honored by donating to a charity (donation-ware).
>    
I cannot say that I agree with this statement as is.  For starters, you 
mention open source here.  The qualification is something that is nice, 
but most people have a tendency to not look past labels, and if 
something is labeled open source, they'll take that for what it is (and 
let's also not forget that open source software, even completely 
redistributable open source software, is not always free).

Now, I will tell you that there is a whole suite of software on my 
computer that I trust.  I trust GNU's coreutils, because I have used it 
for years, and I have never known it to do anything wrong.  But that 
does not mean that I trust it absolutely.  I cannot trust it 
absolutely—I have neither read (all of) its source code, nor do I know 
any one individual whom I trust who has.

Just because free software has the source code available to read does 
not mean that it has been read.  I am willing to wager that there is not 
one single person on this mailing list that has audited every single 
line of code that is running on their system.  Or, for that matter, 
every single line of core system code that runs either at ring 0 or with 
UID 0 privilege, which while smaller, is still a very large amount of 
code to audit through.  Trust requires knowledge.

This is the premise, of course, behind certain types of trust models.  
The reason that companies do not adopt brand-new software (and 
especially just-released operating systems outside of testing 
situations) is because they have no reason to trust it.  Like it or not, 
Windows XP is a lot more trustworthy than Windows 7 is, because more 
people know it better.  The same can be said of an LTS release of 
Ubuntu, one year after it is released compared to the LTS+2 release that 
just came out.

It's of course a difficult subject to adequately address, but it is one 
that requires some pretty careful and in-depth thought.

On the flip side of the coin, it is entirely possible for non-free 
software to be completely trustworthy.  Just as it takes time to trust 
free software that is running on a computer system and for whatever 
purpose the user has for using it, it takes time to trust proprietary 
software.  Of course, it is harder to trust proprietary software, since 
we can not look into it and see how things are done inside of it.  Or at 
least, we can, but not in pure source code form.  After all, we can 
always disassemble code to see what it does, and if we have issues 
trusting it, there is no better way to gain trust than to do that.

Long story short, I guess that my point is that we should not encourage 
the thought that free software is somehow inherently more trustworthy 
than non-free software.  Telling someone that they can trust something 
more because it is free (or open, or transparent) encourages a false 
sense of security.

Put another way:  You can read the source code to the Windows kernel if 
you want to.  You have that capability.  Do you consider it any more 
trustworthy right this minute than you did fifteen minutes ago?  I hope not.
> -- The most trustworthy of the trustworthy Open Source
> software choices are distributed under a version of the
> reciprocal, freedom friendly, General Public Licenses
> of the GNU Free Software Foundation (GPL). The GPL
> protects the freedoms of any peer, programmer or user
> to modify, improve and customize the software to suit
> their needs and interests.
>    (see<http://www.gnu.org/copyleft/gpl.html>)
>    
Again, I have to disagree, for many of the same reasons as I mentioned 
above.  There is a great deal of high-quality, highly reliable, 
exceedingly robust software distributed under the BSD license.  The *BSD 
family of operating systems and the PostgreSQL database server are two 
examples that I can think of that I have never, ever had a reason to 
distrust.

The *BSD family of operating systems may not have every fancy bell and 
whistle that a modern GNU/Linux distribution has, but then again, BSD 
systems are (ironically) a lot smaller than other systems are today.  
OpenBSD, for example, installs a base system in just under 100 MB the 
last time I did it, compared to a base command-line server installation 
of Ubuntu that was three or four times that.  Also, OpenBSD has a very 
high reputation for security and correctness of implementation, and they 
are proud of that, even though it does cost them in terms of sometimes 
having fancy features.

Development goes slower, they constantly audit for issues, and you can 
see, for example, in their source control history that when they learn 
of new classifications of vulnerabilities, they sweep the source code 
tree looking for it and fixing them before they become issues.  I'll 
trust that more than a GNU/Linux system any day of the week, despite the 
fact that I very likely won't get a chance to deploy one any time soon 
for a variety of reasons.

And let's face it, if we're going to use the argument that the freer the 
software, the more trustworthy it is—and if we are going to use 
absolutes—than the BSD software must be the most trustworthy software 
around on that premise alone, because they let you do /anything/ you 
want to the software.  Literally.  It is the most free software license 
that I know of.  Of course, if you do take BSD code and then you fail to 
exercise care when you take it, you can turn the code that you used from 
BSD and make it very unreliable.  We discovered this years ago when 
Microsoft first implemented Winsock, built around BSD-licensed 
networking code.

There is something else that these last two paragraphs of yours which 
bothers me, but I cannot (yet) put my finger on what precisely it is.

     — Mike
//

-- 
Michael B. Trausch                    Blog: http://mike.trausch.us/blog/
Tel: (404) 592-5746 x1                            Email: mike at trausch.us

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100216/d6683e6b/attachment.html

More information about the Ale mailing list