Why do people care if something is open source or not? I can think of at least 2 things 1) to be able to customize it to their needs 2) to check for security concerns such as backdoors.
These aren't really applicable in the context of web apps or cloud computing. For example, even if a company says "ok here's all our source code for our web server, here's all the PHP and JavaScript files" we still don't know what they're really using and we wouldn't be able to make any tweaks and send it back to them and have them only serve us with our customization.
Here's a specific example. Say Google decides to make Google Drive open source. So now we have the source code. Very little can be concluded. Google may record the passwords that are sent during authentication and then be able to decrypt anything they would like to see. Conversely from the source code things may look insecure because they're not encrypted but maybe the security is built into something else like the firewalls the servers are running.
So is there a meaningful way to talk about open source with respect to web apps?
Could auditors be used to verify the securness of the source code? It sort of reminds me of DSS PCI compliance, "we're not going to give everyone all our source code so they can see for themselves we are safe, but we do have a certificate saying we are safe".
Let me know if my point isn't clear and I'll try to fix it up, this is something I've been thinking about for a while.
Aucun commentaire:
Enregistrer un commentaire