Techly NewsGet the app

Get the latest tech news

Why it's hard to trust software, but you mostly have to anyway


Posted by ekr on 28 Dec 2024 [Edited to change the title and subtitle -- 2024-12-28]. My long-time collaborator Richard Barnes[1] used to say that "in security, trust is a four letter word", and yet the dominant experience of using any software-based system—which is, you know, pretty much anything electronic—is trusting the manufacturer.

Any nontrivial program consists of hundreds of thousands to millions of[2024-12-28 -- fixed typo] lines of code, and reviewing any fraction of that in a reasonable period of time is simply impractical. For example, PyPi used to have GPG signatures, but it looks like they didn't work that well for a variety of operational reasons and they were recently removed and replaced with "digital attestations" based on sigstore, but many popular packages are not signed, and as far as I can tell there is as yet no automatic verification. Open source, audits, reproducible builds, and binary transparency are all good, but they don't eliminate the need to trust whoever is providing your software and you should be suspicious of anyone telling you otherwise.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of software

software

Related news:

News photo

Nvidia Open-Sources Run:ai, the Software It Acquired For $700 Million

News photo

Nvidia to open-source Run:ai, the software it acquired for $700M to help companies manage GPUs for AI

News photo

The FTC’s Microsoft antitrust probe reportedly focuses on software bundling

« The best budget wireless earbuds for 2025
Mobvista Is Said to Weigh Mintegral Unit Sale Amid Bain Interest »