[liberationtech] About "Confide"

Jonathan Wilkes jancsika at yahoo.com
Sat Apr 26 19:54:10 PDT 2014 

On 04/26/2014 09:33 PM, Shava Nerad wrote:
>
> Security software isn't like a lot of open source projects.  Generally 
> there have to be narrowly controlled commits, well reviewed.  Those 
> people are experts who may have a lot of other demands on their time 
> that are far far more monetarily rewarding if the project is 
> un(der)funded.  So they are rare altruists, and we often burn out our 
> best.
>
> I am not trying to compare these projects to closed source projects. I 
> am trying to compare them to FOSS hubris.
>
> The idea that we have, that the NGO sector has, that there is inherent 
> virtue in poverty and inherent evil in gaining enough resources to be 
> well resourced for the work available.
>
> We need to get over that aspect of this whole thing. Ideally, in my 
> opinion,  we need well organized well resourced groups with less 
> politics and less fashion-driven ideals.  I have no problem with free 
> software and open source -- I have worked with a number of projects 
> over the years in various roles.  I was the original publicist for FSF.
>
> But if we always are comparing ourselves to closed source projects, 
> then we are not able to own either our own native strengths or the 
> vulnerabilities in our own working culture.  We glorify doing more 
> with less to an excess.  It's not always appropriate, in extremis, for 
> every project.
>
> Security projects are at a huge disadvantage in an environment of 
> impoverished resources.  Any one of you should be able to run that 
> risk analysis.  Open or closed, under-resourced projects will be at 
> greater risk.  Period.
>
> We should evaluate how the environment around a project -- funding, 
> development, research attention, use in greater communities -- leaves 
> it more or less prone to exploit attention being more likely than 
> community maintenance.
>
> Because at root (pun possibly intended), some of the balance may be 
> coming down to the size of the pool of hackers focused on the code 
> with either intent.
>
> It's a buyer's market out there.  I don't make the news.  But it does 
> make me ponder.
>
> This seems like a hard problem, to me.  Tell me, what is it that I 
> misunderstand?
>

So in a nutshell you want to focus on the word _insufficient_ in the 
sentence, "Free software is a necessary but insufficient prerequisite 
for secure software."  If that's the upshot then I understand and agree 
with your focus.

-Jonathan

More information about the liberationtech mailing list