That's why we use open source stuff like Signal, and why you should verify signatures of compiled binaries I'd you don't want to compile from source yourself.
While it's not impossible to introduce a weakness in open source, it's a lot more difficult because there are so many eyes on it. It would be like committing a crime in time square on NYE.
There are examples of holes being put into open source projects. I bet some are uncaught. Look at the XZ Utils Backdoor as an example of one that was caught, barely.
It's a basic tenet of security that it's impossible to reduce the risk of a successful attack to zero. A sufficiently determined attacker with access to sufficient resources will always win eventually.
The aim of the game is to make a successful attack as hard as possible. To reduce attack vectors, increase detection rates, and increase the cost to the attacker such that you reduce the pool of viable attackers to as small a group as you can.
If open source development methods mean that a larger proportion of vulnerabilities are caught, then it's doing its job. The fact that you can't possibly guarantee that you've reduced it to zero doesn't negate the value of reducing it at all.
136
u/josh_the_misanthrope Feb 17 '25
That's why we use open source stuff like Signal, and why you should verify signatures of compiled binaries I'd you don't want to compile from source yourself.
While it's not impossible to introduce a weakness in open source, it's a lot more difficult because there are so many eyes on it. It would be like committing a crime in time square on NYE.