Free Software security vulnerabilities: Heartbleed and other case studies?
Adonay Felipe Nogueira
adfeno at openmailbox.org
Sat Jul 29 23:37:26 UTC 2017
Hi,
I don't have much to share, but suspect that these types of issues can
be best solved if the following is avoided:
- Bundling.
- Customization without sending improvements to upstream.
- Reinventing the wheel.
- Containers.
This list was made based on
[[https://media.libreplanet.org/u/libreplanet/m/solving-the-deployment-crisis-with-gnu-guix-f8fd/]]
(licensed under CC BY-SA 4.0) and
[[https://wingolog.org/archives/2015/11/09/embracing-conways-law]] (no
license: default copyright license).
Interestingly, the GNU Guix project
([[https://www.gnu.org/software/guix/]]) tries to avoid all the things
listed so far.
Also I would add that the following must also be avoided:
- Digital handcuffs. This includes Restricted Boot, which is different
from the benign Secure Boot
([[https://media.libreplanet.org/u/libby/m/embracing-secure-boot-and-rejecting-restricted-boot-matthew-garrett/]]). This
is desirable to avoid because the user himself cannot (not "can't")
update the system as he would wish to, because only the manufacturer's
"trusted" operating system is accepted by the device. Even worse, the
manufacturer might not even be allowed to do such updates because the
carrier/front-provider might have been the only one that implemented
Restricted Boot, not the manufacturer.
--
- [[https://libreplanet.org/wiki/User:Adfeno]]
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre, por isso não uso. Iguais a ele prefiro
GNU Ring, ou Tox. Quer outras formas de contato? Adicione o vCard
que está no endereço acima aos teus contatos.
- Pretende me enviar arquivos .doc, .ppt, .cdr, ou .mp3? OK, eu
aceito, mas não repasso. Entrego apenas em formatos favoráveis ao
/software/ livre. Favor entrar em contato em caso de dúvida.
More information about the Discussion
mailing list