[ale] [OT] good FREE windisease anti-virus software (Thanx!)
Michael B. Trausch
mike at trausch.us
Wed Feb 17 09:29:13 EST 2010
On 02/17/2010 06:59 AM, Geoffrey wrote:
> Michael B. Trausch wrote:
>> Just because free software has the source code available to read does
>> not mean that it has been read. I am willing to wager that there is not
>> one single person on this mailing list that has audited every single
>> line of code that is running on their system. Or, for that matter,
>> every single line of core system code that runs either at ring 0 or with
>> UID 0 privilege, which while smaller, is still a very large amount of
>> code to audit through. Trust requires knowledge.
>
> I don't think that is Aaron's point. The point is, OTHER developers
> have peer reviewed the code. You don't get code into the kernel without
> it be reviewed by other folks.
The kernel is one project that is very meticulous about changes---and
yet, a year or two ago, several people signed off on a back-door
granting root privilege without realizing it. IIRC, it was caught
(relatively) quickly. The code was right there---and they even read it.
It was mistaken for a bug, but if memory serves, it actually was
intentional.
Most other projects are not so meticulous about their changes. Some
are, but others are really "patch, please" and the patches get applied,
run, and see if they work, and if so, merged. Not how I do things, but
I know that there are plenty out there who do.
>> This is the premise, of course, behind certain types of trust models.
>> The reason that companies do not adopt brand-new software (and
>> especially just-released operating systems outside of testing
>> situations) is because they have no reason to trust it. Like it or not,
>> Windows XP is a lot more trustworthy than Windows 7 is, because more
>> people know it better. The same can be said of an LTS release of
>> Ubuntu, one year after it is released compared to the LTS+2 release that
>> just came out.
>
> The number of people who have reviewed XP and/or Windows 7 source is
> still extremely limited because of it's non-open status.
Yes, but the accessibility of a source code base has something to do
with how many people are willing to read it, too.
I am using Thunderbird at the moment, as an example, but I've found the
Mozilla source tree to be completely unreadable in the past (hopefully,
this has changed, but I am not willing to wade in those waters really
yet). I won't try to read source code that is inaccessible, unless I
have to modify it for some reason.
>> It's of course a difficult subject to adequately address, but it is one
>> that requires some pretty careful and in-depth thought.
>>
>> On the flip side of the coin, it is entirely possible for non-free
>> software to be completely trustworthy. Just as it takes time to trust
>> free software that is running on a computer system and for whatever
>> purpose the user has for using it, it takes time to trust proprietary
>> software. Of course, it is harder to trust proprietary software, since
>> we can not look into it and see how things are done inside of it. Or at
>> least, we can, but not in pure source code form. After all, we can
>> always disassemble code to see what it does, and if we have issues
>> trusting it, there is no better way to gain trust than to do that.
>
> I am a whole lot more comfortable with open source. Just the fact that
> I have the opportunity to review the source is a comfort to me and has
> to be some incentive to the developer NOT to try to hide something nasty
> in there.
And I will agree with you. I prefer to use software that I can see the
source code almost exclusively, because that means that if I have an
issue with it, I can look into it and (hopefully, though not always)
actually fix it. I cannot fix something that I have to reverse
engineer, especially since that is a field that I am very weak in.
(Though if I were good at it, or even mediocre, I would very likely
attempt to develop and release binary patches to make things like Flash
actually work on Linux systems.)
--- Mike
--
Michael B. Trausch Blog: http://mike.trausch.us/blog/
Tel: (404) 592-5746 x1 Email: mike at trausch.us
More information about the Ale
mailing list