Firewall Wizards mailing list archives
Re: Gauntlet: source code anyone ?
From: David C Niemi <niemi () tux org>
Date: Mon, 22 Mar 1999 22:20:20 -0500 (EST)
On Mon, 22 Mar 1999, Darren Reed wrote: ...
In occurs to me that computing is becoming increasingly more appliance based and that appliances, by nature, are typically black-boxes. If I feel I need to review the source code for a product, then there is something fundamentally wrong. Being able to obtain it is, IMHO, a luxury and we've grown used to being spoilt.
If it is something customers find important, it is not a luxury. There is no reason customers suddenly can no longer deserve having source. I think the big change here is that (a) big, deep-pocketed, and highly proprietary vendors are throwing FUD at the less proprietary (and often more successful) products, and (b) the number of users of firewalls and other security products has ballooned far faster than the number of people who have any meaningful understanding of them. At the same time the number of people who can make good use of source code is increasing too, just not as quickly, and they are being dwarfed by the number of people who just know how to use a "wizard" and don't understand any of the underlying technology. That in no way reduces the soundness of making source code available, it just is a reflection of the ability of companies with deep pockets and big marketing budgets and a lack of scruples to make technically superior competing products look bad in the eyes of the public. This battle has to be fought in the marketing arena, not the technical one. I don't think it's at all fair to insist that if few users actually modify the source code of a firewall, or if few do intensive audits of the code, that there is no customer need for available or modifiable source code. Realistically, only very large or very security-oriented organizations are likely to have the time to review source code as a matter of policy, and no-one will sensibly modify the source code unless they need some functionality which the standard product does not provide. On the other hand, when prompted by a particular need, like a subtle compatibility problem or an urgent security question, I find it immensely valuable to be able to look at the source code of the product to figure out why it is doing what is doing or whether it handles a particular problem correctly. This is useful even with vendors you trust and products that work quite well and are documented quite well; documentation simply cannot cover every detail of the implementation. No, I don't consistently peruse every package I could that has source code, but the availability of source is a big plus for me. If you want to appeal to the nontechnical checkbox-validating market, you will have to compete largely on the strength of your marketing division. ...
To end this, I'd suggest that perhaps the problem isn't availability of source code, but the suggestion/perception that we need it because we're not prepared to trust vendors.
Is it our fault we don't trust vendors? A lot of vendors have given their customers good reason to be suspicious. It isn't just a matter of source code, there are many other areas of trouble too, such as file formats. A security vendor I've been stuck with refuses to document the format of binary files used to exchange public keys, and when I expressed concern about what other data might be mixed in with the public key data (there has been some reason to be concerned that the pass phrases or even the private keys may be in this file in some form), the vendor emphasized that any attempt to scrutinize the file format would void my user license. Is it just me, or is that an unacceptably arrogant attitude? Why on earth should I trust a vendor like that? But somehow many people do. ---- David C Niemi ----niemi at tux.org---- Reston VA USA ---- A key goal of good science fiction is to provoke debate on difficult ethical questions and personal challenges which would be imposed by social structures and technologies which the world has not yet faced.
Current thread:
- Re: Gauntlet: source code anyone ?, (continued)
- Re: Gauntlet: source code anyone ? dreamwvr (Mar 22)
- Re: Gauntlet: source code anyone ? ark (Mar 19)
- Re: Gauntlet: source code anyone ? David Lang (Mar 21)
- RE: Gauntlet: source code anyone ? McMahan, Peg (Mar 19)
- Re: Gauntlet: source code anyone ? Kees Hendrikse (Mar 21)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 21)
- Re: Gauntlet: source code anyone ? Kees Hendrikse (Mar 21)
- RE: Gauntlet: source code anyone ? chris michael (Mar 22)
- RE: Gauntlet: source code anyone ? ark (Mar 22)
- Re: Gauntlet: source code anyone ? Steve George (Mar 22)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 22)
- Re: Gauntlet: source code anyone ? David C Niemi (Mar 23)
- Re: Gauntlet: source code anyone ? Frederick M Avolio (Mar 23)
- Re: Gauntlet: source code anyone ? Marcus J. Ranum (Mar 23)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 22)
- Re: Gauntlet: source code anyone ? philipsholt (Mar 23)
- Re: Gauntlet: source code anyone ? Steve George (Mar 23)
- Re: Gauntlet: source code anyone ? Darren Reed (Mar 24)