Path: ...!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Don Y Newsgroups: sci.electronics.design Subject: Re: OT: Linix goes politics Date: Sat, 26 Oct 2024 11:15:45 -0700 Organization: A noiseless patient Spider Lines: 31 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Injection-Date: Sat, 26 Oct 2024 20:15:56 +0200 (CEST) Injection-Info: dont-email.me; posting-host="0c873b542577b9bc8b6e85ea9e6e6db2"; logging-data="4024077"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/+QTZvVqo8jGVDoFLXoanp" User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Cancel-Lock: sha1:jxYieLvvGWIH4Xwq47lPm2y56Gk= In-Reply-To: Content-Language: en-US Bytes: 2553 On 10/26/2024 6:18 AM, Lasse Langwadt wrote: > And to some extend it also protects Russian contributors from being the target > of being forced to add "bad things" The problem with FOSS is the naive belief that "lots of eyes" looking at the code *will* discover errors, bugs, etc. This is just wishful thinking. From "KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs": "We also used KLEE as a bug finding tool, applying it to 452 applications (over 430K total lines of code), where it found 56 serious bugs, including three in COREUTILS that had been ---> missed for over 15 years. Finally, we used KLEE to crosscheck purportedly identical BUSYBOX and COREUTILS utilities, finding functional correctness errors and a myriad of inconsistencies." So, folks have been looking at that code for "15 years" and still didn't notice the bugs? The failure is in thinking that someone ELSE will have found the bugs and taken action on correcting them. A "bad actor's" actions are, thus, largely innoculated from discovery. And, as there is no easy way of tracking down who/what may have already incorporated them, no easy way to "recall" those defective products. (closed source would have such a provision as the owner of the source will likely know which products contain which bits of code)