Occasionally the question arises:
Is Free Software more secure?
And what statement can be made about this, e.g. by the FSFE.
My answer to this is:
Free Software has a higher chance of being secure.
Of course I wouldn't post this to a discussion list
if this was completely clear to everybody.
Unfortunately the relation of freedom to security is complicated.
There are already quite a few texts and papers about it.
Maybe we need to find the best which can be used as references
to give to journalist and other interested people.
To support my statement I usually look at David Wheeler's work first.
http://www.dwheeler.com/oss_fs_why.html#conclusions
OSS/FS software often has far better security [1],
perhaps due to the possibility of worldwide review.
[1] http://www.dwheeler.com/oss_fs_why.html#security
Again, it is not true that proprietary programs are
always more secure, or that OSS/FS is always more secure, because
there are many factors at work. For example, a well-configured and
well-maintained system, of any kind, will almost always be far more
secure than a poorly configured and unmaintained system of any kind.
For a longer description of these issues, see my discussion on open
source and security [2] (part of my book on writing secure software).
However, from these figures, it appears that OSS/FS systems are in
many cases better - not just equal - in their resistance to attacks
as compared to proprietary software.
[2] http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-s…
(Wheeler in this book uses "open source" for Free Software.)
2.4.1. View of Various Experts
2.4.6. Bottom Line
Just making a program open source doesn't suddenly make a
program secure, and just because a program is open source does not
guarantee security:
First, people have to actually review the code. This is one
of the key points of debate - will people really review code
Second, at least some of the people developing and reviewing
the code must know how to write secure programs.
Third, once found, these problems need to be fixed quickly
and their fixes distributed. Open source systems tend to fix the
problems quickly, but the distribution is not always smooth.
Another advantage of open source is that, if you find a
problem, you can fix it immediately. This really doesn't have any
counterpart in closed source.
In short, the effect on security of open source software is still a
major debate in the security community, though a large number of
prominent experts believe that it has great potential to be more
secure.
Another interesting source stressing active peer preview
is within Chapter 4 and Chapter 5 of Peter Gutmann's book:
Cryptographic Security Architecure
It is the book that stems from his thetis.
He has put a few chapters online at:
http://www.cs.auckland.ac.nz/~pgut001/pubs/thesis.html
Especially interesting for this question are:
Chapter 4: Verification Techniques
where he criticises a lot of believes about
how to build secure systems and verify them
Chapter 5: Verification of the cryptlib kernel
where he explains his approach and the interesting
part is 5.1.1 "Peer Review as an Evalution Mechanism"
and the cited literature there
Bernhard
RE: Announcing the second official X Window System release by the
XOrg Foundation, at http://www.X.Org .
If you have questions, you may contact:
Leon Shiman, for The XOrg Foundation, at:
Shiman Associates Inc
(00)1.617.277.0087
leon(a)shiman.com
X.Org Foundation Announces X11R6.8 Release of the X Window System
=================================================================
The X.Org Foundation Release Officially Introduces State of the Art
Technologies to the X Window System
Brookline MA, September 9, 2004 - The X.Org Foundation today announced the
second release of the X Window System since the formation of the Foundation
in January of this year.
The new X.Org release, called X Window System Version 11, Release 6.8
(X11R6.8) builds on the work of X.org X11R6.7 released in April. X11R6.8
combines the latest developments from many people and companies working
with the X Window System and an open X.Org Foundation Release Team. The X
Window System X11R6.8 release can be found at ftp://www.x.org/pub and at
mirror-sites worldwide.
About this Release:
-------------------
In response to user and application developer demand, X.Org's X11R6.8
brings forward widely anticipated fundamental facilities through this
release. They include the first official X Window System Release support
for:
o Translucent windows
o Window animation, window decorations like shadows
o Support for accessibility applications
o Support for 3D immersive user environments like
Looking Glass(1) and Croquet(2)
o Support for large scale display walls using DMX(3)
These new facilities, some of which are still considered experimental, and
so not enabled by default, have been under development for several years.
Once completed and deployed, they will enable X Window System desktop
projects, such as Gnome and KDE, to greatly extend their visual user
interface vocabulary while still ensuring uncompromised support for
existing applications, even surpassing current state of the art in
competing window systems.
These facilities will enable easy implementation of thumbnailing, screen
magnifiers for accessibility, translucent windows, menus, drop shadows, and
even integration of conventional applications into 3D immersive
environments. They are the result of open collaboration within the
freedesktop.org community, desktop projects, and the X Window System user
and developer communities. For some illustrations visit
http://www.freedesktop.org/XOrg/X11R68ScreenShots.
Features also included in this release are updates and fixes to: FreeType2,
Xprint, Xaw ( new PrintShell class), Mesa, DRI, driver rotation support,
Render ( New Trapezoid Extension ), many driver updates, and a broad range
of fixes and enhancements.
About participation and membership in X.Org
-------------------------------------------
Membership in the X.Org foundation is free and open to all participants.
Active participants in the further development of the X Window System are
invited to visit: http://www.x.org/XOrg_Foundation_Membership.html to
complete a membership application. Participation in the Foundation's
Sponsor Group is also available to those who wish to financially
support the activities of the X.Org Foundation. Current Sponsors
include Hewlett Packard, IBM, ICS, Sun Microsystems, Shiman
Associates, and WRQ.
About the X.Org Foundation
--------------------------
X.Org Foundation L.L.C. is a Delaware company organized to operate as
a scientific charity under IRS code 501(c)(3), chartered to develop
and execute effective strategies that provide worldwide stewardship of
the X Window System technology and standards. The group is currently
managed by its Board of Directors that includes: Stuart Anderson (Free
Standards Group), Egbert Eich (Novell), Jim Gettys (HP), Stuart
Kreitman (SUN Microsystems), Kevin Martin (Red Hat), Jim McQuillan
(Linux Terminal Server Project), Keith Packard (HP), and Leon Shiman
(Shiman Associates). The website for the X.Org Foundation can be
found at http://www.x.org/.
About The X Window System
-------------------------
The X Window System provides the only common networked windowing
environment bridging the heterogeneous platforms in today's
computing. The X Window System is one of the most successful
open-source, collaborative technologies developed to date and is the
standard graphical window system for the Linux® and UNIX® operating
systems. The inherent independence of the X Window System from the
operating system, the network and the hardware, as well as its
successful interoperability, have made it widely available and
deployed with more than 30 million users worldwide. All major hardware
vendors support the X Window System and many third parties provide
technologies for integrating X Window System applications into the
networked computer or personal computer environments including
Microsoft Windows®, UNIX, Linux and Mac OS® X. Further, thousands of
software developers provide X Window System applications, and with the
continued growth of Linux and the emergence of Mac OS X, the number of
users is growing rapidly.
Community Response:
-------------------
"This release of the X.org server incorporates a number of extensions that
were developed in consultation with experts in the field," said Bill
Haneman, Sun Microsystems, GNOME Foundation board member and member of the
FSG Accessibility Workgroup. "This new release removes a number of
significant accessibility roadblocks and facilitates considerably improved
support for onscreen magnifiers, screen readers, and other assistive
technologies."
"As one of the original founding members of the X Window System project,
HP is pleased to be supporting the X.Org Foundation as a continued
sponsor. With the second X.org Foundation release of the X Window System, we
once again demonstrate the power of the open source development model to
deliver true innovation and value to our customers," said Martin Fink, vice
president of Linux, HP.
"Open source takes a giant leap into the future with the new X Window
System release and Croquet working together," said Alan Kay, Senior HP
Fellow, HP Labs.
"If anyone doubts the quality of 'Open Source' they only need look to this
new release of X," said Peter Winston, President of leading UI development
company Integrated Computer Systems (www.ICS.com) and member of X.org. With
tens of millions of Linux and UNIX developers around the world relying on
the X Window System, X.org has created a new version which users can depend
upon and that addresses the new needs of a changing market. The additions
of translucent windows and support for large scale display walls will be
especially well received by our core customer base of developers building
homeland defense applications."
"LTSP relies heavily on the X Window System and we are inspired by the
continuing development and community involvement that has gone into the
latest X.org release." -- Jim McQuillan, LTSP project leader.
"Novell welcomes the rapid progress of the X.Org Foundation. We are
pleased to support the new release of X.Org in the next SUSE LINUX product
offering, which will enable technology enthusiasts to benefit from the
latest enhancements in Linux windowing technology, and we will continue to
actively contribute to the project." -- Chris Schlaeger, VP R&D SUSE LINUX
at Novell
"Red Hat is proud to contribute to development of the X Window System
technology and standards through continued involvement in and support of
X.org's efforts. Red Hat plans to include the X11R6.8 release in the
the open source Fedora Core project and upcoming releases of Red Hat
Desktop." -- Havoc Pennington, desktop technical architect and engineering
manager.
"X11R6.8 contains essential features which provide the underlying
foundation for the Project Looking Glass 3D window system, such as the
Composite and Damage extensions. These timely and well implemented
features have significantly accelerated our development effort." -- Deron
Johnson, Sun Microsystems, Project Looking Glass.
"As the former X.org chair, and current chair of the X.org Sponsor's
Group, I'm very pleased to see the X.org Foundation produce the 6.8 release
of X11, which includes contributions from many different groups, with
different interests and goals, but with a common interest in and focus on
advancing the X technology. I believe that as long as that common focus
continues, this Foundation and their releases will be of great value to the
broad community of X technology users." -- Steve Swales, Senior Manager,
Platform Globalization Engineering; X.Org Sponsor Board Chairperson, Sun
Microsystems, Inc.
"R6.8 rocks! Now Qt/X11 can natively support almost everything developers
have come to expect from our Windows and Mac OS X versions", says Matthias
Ettrich, Director of Software Development at Trolltech, a cross-platform
GUI tool vendor, "Kudos to the X.org team."
Notes to editors:
-----------------
(1) Project Looking Glass: http://wwws.sun.com/software/looking_glass/
and https://lg3d.dev.java.net
(2) Croquet Project: http://www.opencroquet.org/
(3) Distributed Multihead X Project: http://dmx.sourceforge.net/
(4) The Mesa 3D Graphics Library: http://www.mesa3d.org
(5) Direct Rendering Infrastructure: http://dri.sourceforge.net/
(6) The Freetype Project: http://www.freetype.org
(7) The Xprint Project: http://xprint.mozdev.org/
UNIX is a registered trademark of The Open Group in
the US and other countries. LINUX is a registered trademark of Linus
Torvalds. Microsoft and Windows are registered trademarks of Microsoft
Corporation in the United States and/or other countries. Mac OS is a
registered trademark of Apple Computer, Inc., registered in the
U.S. and other countries. All other company names are trademarks of
the registered owners.
1. Announcing Wilhelm Tux as a new associate organisation
2. Software patents discussion
3. Donating to the FSFE in the United Kingdom
4. Speech at the KDE Community World Summit
1. Announcing Wilhelm Tux as a new associate organisation
Wilhelm Tux, a Swiss organisation for Free Software, has become an
associate organisation of the FSFE. The FSFE now has 9 associate
organisations in 8 different countries. Wilhelm Tux is the first
European associate organisation that resides in a country not being an
EU member state.
2. Software patents discussion
The FSFE has always pointed out that software patents are a big threat
for companies and individuals developing or using software, no matter
whether if it is free or proprietary. Recent software patent discussions
relating to the ongoing migration to Free Software in Munich seemed to
create the wrong impression for some people, namely that the software
patent problem only exists for Free Software, and the FSFE is happy that
it could help to clarify this point.
The FSFE also congratulates Mr. Ude, the mayor of Munich, who is showing
himself to be highly reasonable and competent: He continues the
migration without delays while both evaluating the risks potentially
created and speaking out against introduction of software patents in
Europe.
3. Donating to the FSFE in the United Kingdom
Due to substantial bank fees charged for international money transfers,
small donations or standing orders are too expensive to be send directly
to the Free Software Foundation Europe bank account. To rectify this,
FSFE in July 2004 entered into an agreement with UK based associate
organisation AFFS to collect donations and transfer them in larger
batches.
http://www.fsfeurope.org/help/donate-2004-uk.en.html
4. Speech at the KDE Community World Summit
Bernhard Reiter gave a speech at the KDE User and Administrator
Conference, which was part of the KDE Community World Summit in
Ludwigsburg, Germany. He spoke about social and political aspects of
Free Software.
You can find a list of all FSF Europe newsletters on
http://www.fsfeurope.org/news/newsletter.en.html
I was directed to
http://europa.eu.int/abc/doc/off/bull/en/200405/p103027.htm#anch0042
which is the EU Bulletin claiming the council agreed common position
in May. This is also reflected in the "legislative observatory" record
for the swpat proposal, although no new EuroParl date has appeared
there. I had heard there was some dispute about it. What information
source is binding, if any?
From the draft agenda, it looks like the 13-16 September plenary will
be concerned with budgets, stability, human rights and Iraq. The next
plenary is 13 October 2004 - 28 October 2004, so watch
http://wwwdb.europarl.eu.int/ep/owa/p_calses.plenary?ilg=EN&iorig=plenary&i…
for an agenda in case swpat appears.
--
MJR/slef My Opinion Only and not of any group I know
http://www.ttllp.co.uk/ for creative copyleft computing
Please email about: BT alternative for line rental+DSL;
Education on SMEs+EU FP6; office filing that works fast