[Discuss] Is open source more secure at the current level of AI?

Steve Litt slitt at troubleshooters.com
Sun Apr 12 20:50:02 EDT 2026 

Kent Borg said on Sat, 11 Apr 2026 14:40:42 -0700

>On 4/11/26 9:53 AM, Rich Pieri wrote:
>> On Sat, 11 Apr 2026 08:08:37 -0700
>> Kent Borg<kentborg at borg.org> wrote:
>>  
>>> 1. Open source means bad guys can look at the source, this is a real
>>> risk for open source.  
>> This is the false dichotomy that the "proprietary is more secure"
>> argument hinges on.  
>
>Certainly closed source sources can be had on occasion. Duh. But open 
>source is trivial to get. Want to aim some AI at open source sources? 
>Easy, burn the tokens and electricity, and find bugs. Want to do it to 
>close source sources? Gotta go be clever about getting them, and 
>sometimes clever isn't even enough.


And here we go. Let's say, just for the sake of argument, that Open
Source is more vulnerable to AI derived attacks than closed source.
What now? 

Do we switch to closed source, where our every move is stored
on the Internet? I'd hugely prefer AI derived attacks to what closed
source will inevitably force us into.

So why so many bugs in Open Source? When most folks ask me that, my
response is "look in the mirror." Do you evangelize the million plus
LOC systemd over the 14K LOC Runit, an init system which even I
understand reading its code? If so, you're part of the problem. Do you
enjoy writing code 14 levels deep with abstraction? If so, you're part
of the problem. When needing to add a new capability to your software,
Is your first thought "let me find somebody who has already done this,
and incorporate their entire library?" If so, you're part of the
problem, especially when it comes to supply chain attacks.

How do you like the tens or hundreds of command line warnings thrown by
GTk inclusioned apps in a lot of situations on a lot of distros? People
blame those warnings on the the way the distro's packager does the
build and on the user's failure to install every last suggested
package, but what it really is is a sign of the hypercomplexification
of software through gratuitous unnecessary linkages.

Do you choose GUI applications over Curses applications, even when the
Cursed application does all the same work and is just as user friendly?
Once again, look in the mirror.

Qt isn't much better.

All of this was solved decades ago: The Unix philosophy: Do one thing
and do it well. Our (Free Software Community's) departure from the Unix
philosophy has increased software attack surface by orders of
magnitude, and now a return to proprietary software, with our data held
by the software provider, is being contemplated. The costs of
complexity aren't always obvious to the user or even some developers,
but the costs are costly.

I now eagerly await the rebuttals utilizing logical fallacies "Appeal
To Novelty", "Ad Hominem", "Strawman" and "Red Herring".

SteveT

Steve Litt 

http://444domains.com

More information about the Discuss mailing list