Lazy journalists depend on controversy rather than truth to generate traffic for their advertising-funded employers. I just saw the headline “Open source bug leaves hundreds of thousands of sites open to attack” (you can search for it, I won’t link it) and as reliably as ever, the truth is that it’s nothing to do with open source beyond the code being open source.
Security issues arise from many root causes; from outsourcing without adequate due diligence, from hierarchical supply chains spanning jurisdictions, from black-hat exploitation of defects, from straightforward deployment errors and from other consequences of a non-rivalrous good becoming central to commerce and widely usable without any requirement for caution. All of these are more easily mitigated in open source, both because “many eyes make all bugs shallow” and because resources can be applied without the management consent required of secret company code.
The result is that open source solutions in areas where these risks are expected are more popular than proprietary solutions. As a result it is common to find security issues in widely used open source software. But that is not the same as open source being the origin of the issues! Most research suggests that being open source is an orthogonal attribute to the security of the software itself and a positive factor in the mitigation of risks.
So when you see these false correlations in headlines, complain to the editor. It’s usually their fault anyway, in my experience!
Comments
No comments yet. Be the first to react!