There are some folks who say that open source software is much better than proprietary (commercial) software because you can look at the source code. Ignoring whether you are I would know what we are looking at, it isn’t so simple as this story will tell.
On the other hand, proprietary (commercial) software isn’t a silver bullet either. If it was, Microsoft would not have patched 48 bugs this month.
Here is the story.
OpenVPN is an extremely popular virtual private network software that runs on all major operating systems and is used by millions.
Given that it is used by so many people, if the theory of open source software being safe because people can look at it, then it should not have any bugs.
Recently there have been two, independent code audits. One by respected Johns Hopkins cryptographer Matthew Green. Green found several bugs but nothing super major. At the same time another code audit was being done in Europe by Quarkslab. They found two more bugs that Green didn’t find.
Okay, so now we have lots of people using the software and two separate, independent code reviews. Surely there are no more bugs.
Guido Vranken decided to do his own test and decided to attempt to hack the software using a technique called fuzzing. How fuzzing works is not important except to hackers and security researchers, but, suffice it to say, Guido found yet more bugs.
So what does this mean?
Is OpenVPN bad software?
No, in fact, it is pretty good software.
What it means is that it is very difficult to create bug free software even if you are very committed to doing so.
So when people get into a rivalry about open source vs. closed source software, here is what you say.
Neither is good. Neither is bad. But, if you think that because open source software is open it will be bug free, I am telling you that you are fooling yourself. OpenVPN is a perfect example of that.
Bug free software is hard. Maybe impossible. Every piece of software has them. It is just a fact of life.
That doesn’t mean that people shouldn’t like open source software. Or closed source software. There are lots of reasons to like both. And not like both.
Information for this post came from Guido Vranken‘s blog site.