Florian Weimer fw@deneb.enyo.de wrote: [...]
These days, there's hardly any widely used piece of proprietary software for which you can't get the source code.
I wasn't aware of this. The Norton Security tools on Windows cause some associates of mine many problems. Even if the apparent bugs can't be fixed, knowing the precise details of how it worked with help. Where can they get the source code?
[...]
It's also not clear if source code availability is that helpful for uncovering security bugs.
Would either the recent openssl/debian zero-entropy mistake or the openssl dangerous use of uninitialised memory have been uncovered without source code availability?
It seems to me that closed security software is a bit dangerous. Treating it as a black box and prodding it with different inputs and outputs is an inadequate way of testing it, not really checking.
Regards,