[ale] Cory Doctorow, right again

mike at trausch.us mike at trausch.us
Fri Mar 16 14:14:59 EDT 2012 

On 03/16/2012 02:02 PM, James Sumners wrote:
> Which all boils down to exactly what I said. Either ignore installing
> third party software altogether, or do the best you can with the time
> you have. The argument that open source is safer because you,
> yourself, can look at the code before installing it is ludicrous.

I have a feeling that there is going to be no sensible debate on this
point between us.  It has been proved, time and time again, that
software with available (and freely licensed) source code is in the
general case safer because anyone can, given a little bit of study and
time, be able to read and understand the program (or the part of it that
they are reading, anyway, if they are focused on a single aspect of it).
 And fix any problems that they find, too.

The fact that free software isn't an opaque black box that we must
accept as-is and therefore trust as-is is highly advantageous.  Anyone
can read it.  Anyone can write it.  And if you don't like what you see,
you can do something about it locally or globally.  It's definitely
safer for those sorts of reasons.  There are also psychological factors
that are involved in the production of things which are exposed to the
open compared to things that are opaque(ish) black boxes of binary code.
 Yes, given enough time and know-how, one can reverse engineer binary
code, even if it is obfuscated.  But it's not worth it for most things
(at least, not IMHO and probably many others).

> If
> you have the time to do that for _every_ piece of software you
> install, then you must not be doing anything else.

No, I don't read every single line of code that I execute on my system.
 That said, I don't run software that I have no a priori reason to
trust, either, without putting it in some type of sandbox.  I also will
"fire" software if I find anything that makes me feel like the software
item in question is untrustworthy.

Of course, I can do that on my desktop system, but I cannot do that on
my Android devices.  I don't know if that will be functionality that
will ever truly become available on Android (at least stock versions of it).

There is one thing that could address these problems, though again not
entirely:  automatically verifiable formal proofs.  But since software
lacks the ability to be automatically formally proved for functionality
or correctness (with some exceptions, as always), that is kind of moot.

While the author can say "Here is the program and I swear and promise
that it is correct and good", that of course means nothing.  Show me the
code, or I automatically don't trust you unless you give me a really
good reason to.

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 729 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120316/8c4ed342/attachment.bin

More information about the Ale mailing list