Sunday, December 16, 2007

How to keep 'Security' in Open Source

I got some opinions about how to keep security in open source. Now, in Japan, when a developer who doesn't know the details of security publishes a module that equips security hole, an expert developer warns him to stop publishing and fix the module quickly. Some users mail me about this.

(Umm, why did not they contact the expert developer directly? Why did not they discuss directly? Because they are Japanese! Not that this is anything new.)

That's difficult problem. In xoops.org and jp.xoops.org, security was broken perfectly once. Source was open, but nobody tried to check source. Users faced danger always.

Japan has the same situation. But, a couple of earnest programers began tryng to check modules sometimes. That's difference from xoops.org. Is this happy or unhappy? If they stop checking, we face danger soon. The XOOPS Cube project is Anarchism and Minarchism, so the project doesn't have quality checker.

I think that users need self protection in freedom. But, Anarchism denies governmental method, but not an unique method. If a community has shared protection, it's good. If you have another opinion, do discuss.

But, if you think that opened programs will be fixed by many contributed patches, consider how many patches you have contributed to others' program until now. And, if you plan to make the mood you want, you should write something continually on Japanese community. It's strange thought to counterwork others' continual activity by sending a mail to the third person.

Anyway, community members need to know that all of open source programs is not safety. If community members share the same presupposition, it's possible to go next. What do you do actually?

Especially, many users have long experience about XOOPS than me. I want to hear how much open source code they checked actually and how much patches they contributed actually. My recollection is that anybody did nothing until JM2 came back to review X2.

2 comments:

Nuno Luciano said...

By the past, PHP language was very permissive, maybe that was good for beginners, but it was really bad compared to those languages a bit more strict alike C or Java, adopted by professionals. People develop bad habits, people share and people learn bad habits. No gate to escape from that!
Well, until a fork - XCL ^^

Open source is a lot of self-learning!
And freedom to choose your source.
Well chosen your source, well learn!

Xoops.org with such huge list of tasks to be done, choose Statism with to much 'officials' teams, titles, etc. Instead, as suggested, it would be better to adopt a light and fast org model. Fact is that people fight for "power and titles" and not for "freedom for creativity". It is a heavy project with a heavy structure, that takes a long time to move on ... too long to follow web technologies evolution.

Since the 2005 audit, it was suggested to fix it to move to new Legacy. But also clean the public space and made it a public archive.

minahito said...

But, in Japan, it is a major opinion that the developer who released security hole module should stop publishing modules. And, they don't want to do self-learning. That's a stalemate.