So welcome back from the break! I hope you all had a great new year, and a good season.
So, to kick us off on a new season, I came across an article today talking about the biggest threat to open source security for 2009. In case you don’t feel like reading the whole thing, the point of the article is basically that “most open source lacks update services” and that that represents a huge risk to enterprises.
Now, I can tell what you’re thinking – you’re probably thinking that open source does have update services (rpm, apt-get, yum, etc.) and you’re probably wondering what this guy’s been smoking to write this. I wondered that too at first – and heaven knows I’m not an open source fanboi (I don’t subscribe to the belief that just because you publish the source that it all of sudden means that you have legions of interested and skilled security tested auditing your code for you.) But then I got to thinking about it a little bit and realized that there is a issue underlying it all that bears some thinking about. The article touches on an interesting point – even though it sails right by it to make another point that’s dubious.
Which is that (no matter how much some people might extol the virtues of RPM), keeping some open source software up to date requires a bit of knowledge – in other words, to make sure patches get installed properly, you sort of have to have a vague clue about what you’re doing. Not that you can’t do it, not that any open source project should do anything differently – just that some projects are harder to update than others. Compare that to Windows which – no matter what you say about it – doesn’t really require much skill to keep updated and patched.
And it also begs the ultimate question which is who’s accountable for there being a patch in the first place? In general, most open source communities have a good track record for delivering timely patches (some might even say faster than many commercial software vendors) – but who’s accountable? Will an enterprise have an assurance that they’ll get a patch? Whether or not it gets automagically installed, companies need to know that they’ll get a patch in place – and at the end of the day, they feel less confident when there’s no assurance.
So what’s the bottom line? Is it the case that open source will be chock full of holes in 2009 and get run over by a freight train of malware, trojans, and worms? Doubtful. Will open source users all of a sudden start getting bombarded by “Antivirus 2009″ popups telling them they’re infected? Not likely. But is it the case that admins need to have a higher degree of a clue to keep open source software patched and is it the case the companies are afraid to use it because they want greater accountability? I happen to think so.
Thanks to Diana for the hilarious picture and the suggestions on the edits.
Friday July 30, 2010
Diana Kelley's profile