A detailed post on how security audits are pretty similar regardless of source model, and how vulnerabilities are typically found. I believe in supporting free software for the right reasons, not...
A detailed post on how security audits are pretty similar regardless of source model, and how vulnerabilities are typically found.
I believe in supporting free software for the right reasons, not the wrong ones. I wrote this to address the wrong reasons.
There are definitely cases where you can patch the software without access to the source. For instance in java land you can just ensure a homerolled version of a particular class spears earlier on...
Source code is typically helpful (sometimes essential) to Step 3. If someone has completed Step 3, they will require source code in order to proceed to Step 4.
There are definitely cases where you can patch the software without access to the source. For instance in java land you can just ensure a homerolled version of a particular class spears earlier on the classpath. For compiled binaries with machine code you can alter the machine code directly (though this can be very tricky to do). Unless the code has been obfuscated there are usually decent decompilers which given a binary can produce something more readable, which can help with creating a fix for an issue even if the true source is absent.
By this reasoning one can argue that as soon as you ship code to someone you've essentially given them the source. FOSS just gives you a more reasonable path to understanding the source since interpreting obfuscated machine code isn't fun (though there might be some ppl who enjoy that type of self-flagellation). The only true threat, in my view, to user freedoms is really software as a service...
Binary patching is harder and also more error prone, especially when certain build flags are used (binary-patching a program built with -fPIE -flto=thin -ffunction-sections -fdata-sections...
Binary patching is harder and also more error prone, especially when certain build flags are used (binary-patching a program built with -fPIE -flto=thin -ffunction-sections -fdata-sections -fno-semantic-interposition is...not fun) or when the software uses binary obfuscation.
Freedom is more than just understanding the software in question, though. Some vendors are quite hostile to reverse-engineering efforts, for instance.
I wrote two previous posts on how FLOSS is a necessary but insufficient requirement to achieve user freedom, linked near the top.
A detailed post on how security audits are pretty similar regardless of source model, and how vulnerabilities are typically found.
I believe in supporting free software for the right reasons, not the wrong ones. I wrote this to address the wrong reasons.
There are definitely cases where you can patch the software without access to the source. For instance in java land you can just ensure a homerolled version of a particular class spears earlier on the classpath. For compiled binaries with machine code you can alter the machine code directly (though this can be very tricky to do). Unless the code has been obfuscated there are usually decent decompilers which given a binary can produce something more readable, which can help with creating a fix for an issue even if the true source is absent.
By this reasoning one can argue that as soon as you ship code to someone you've essentially given them the source. FOSS just gives you a more reasonable path to understanding the source since interpreting obfuscated machine code isn't fun (though there might be some ppl who enjoy that type of self-flagellation). The only true threat, in my view, to user freedoms is really software as a service...
Binary patching is harder and also more error prone, especially when certain build flags are used (binary-patching a program built with
-fPIE -flto=thin -ffunction-sections -fdata-sections -fno-semantic-interpositionis...not fun) or when the software uses binary obfuscation.Freedom is more than just understanding the software in question, though. Some vendors are quite hostile to reverse-engineering efforts, for instance.
I wrote two previous posts on how FLOSS is a necessary but insufficient requirement to achieve user freedom, linked near the top.