[BBLISA] Quick Poll: Would you trust system software from an anonymous source?

Tom Metro tmetro+bblisa at vl.com
Fri Feb 26 14:17:41 EST 2010 

Dean Anderson wrote:
> By anonymous, I mean a source that traces only to an email address with
> no phone number, no address, no anything.  Not even a significant
> history of email from that account.  This source has no accountability,
> because they are anonymous.

You're describing essentially the vast majority of open source projects, 
excluding the small minority of open source projects that are backed up 
by corporations. Even then, unless you are paying for a support contact, 
the corporation probably carries no legal liability, and there is no 
guarantee that they've vetted the end-user contributions to the code base.

If you disagree, can you clarify how you see the majority of open source 
as not falling under this definition?

If you do agree, then we can conclude that a large portion of the IT 
industry now feels comfortable using such anonymously sourced software 
for system critical functionality. Though perhaps with some qualifiers. 
(See below.)


> By 'System software' I mean software whose integrity a company relies on
> to perform its functions. 

Like say the Linux kernel?


> Here are the specific questions:
> 
> 1. Would you trust (meaning use) system software from an anonymous
> source?
> 
> 2. Would the fact that the software is a derivative of well known
> software, but with apparently gratuitous "security fixes": would that
> increase or decrease your willingness to trust the software?

So the hypothetical response to this threat vector is that you audit the 
code. The practical approach, though, is that you stick to projects that 
have a wide user base, with the expectation that you've vastly increased 
the probability that someone else has audited the code, or encountered 
any potential exploits.

I think any time you deal with a fork or project that has a small user 
base, you're increasing your risks, unless you're willing to diff the 
fork against the main project, and then audit the diff.


> 3. Would the fact that source implements a variation of discredited
> changes advocated by gray-hat or black-hat hackers increase or decrease
> your willingness to trust the software?

I'm not sure I follow. Changes discredited by gray/black-hat hackers? So 
  that could mean the fixes are pointless, if they're being altruistic, 
of that the fixes hamper their ability to exploit, if they're not.

Can you get a white-hat hacker to weigh in? :-)


> 3. Would you consider it a bad judgment to use such software knowing (1)
> for sure...

Not at all, with noted qualifications.

Of course it also depends on the amount of exposure the software has.


> and perhaps (2)...

#2 would make me nervous, given the circumstances you describe. If the 
user base was large, or the group forking and patching had a known 
reputation, it may be fine, but your case seem to meet neither of those 
qualifiers.


> and (3)?

Which #3? :-)
(I assume the former, which I've asked for clarification on.)


> Please reply off list.

I think the clarifications of your premise warrant on-list discussion.

  -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

More information about the bblisa mailing list