JusTertii wrote:I understand what your point is, but it still doesn't guarantee anything. It's sort of like the maxim that "with enough eyes, all bugs are shallow". Sounds good in theory, but it simply doesn't marry with reality. We just don't have enough eyes to even approimate this, and as such have to hope the eyes we do have are looking in the right places. A case that comes to mind is the heartbleed vulnerability -- from what I recall, that was an open ssl weakness that wasn't exposed for a number of years.
This is such a null argument... You can power off your computer then, because what software on your computer can you trust to not have backdoors, unless you wrote it yourself
Difference between OpenSSL at time of Heartbleed and systemd is that there was no funding for the OpenSSL developers at the time, so all work was done as "hobby" by them in the spare hours. A lot of companies woke up after Heartbleed, understanding that without funding the free software, they depend on for their businesses, can't be maintained at the level they need to securely run their businesses (and Heartbleed cost money to a lot of companies to fix, would have cost less to sponsor developers and audits).
After Heartbleed the Linux Foundation organized the Core Infrastructure Initiative
to get funding for critical projects like OpenSSL and OpenSSH. Besides this funding two full-time developers for OpenSSL, it's funded the Open Crypto Audit Project to audit the OpenSSL source code.
systemd already has backing from multiple companies (besides Red Hat, there's Intel, IBM, Samsung, and many more). While the two core developers are currently employed by Red Hat, systemd is a free software project developed collaboratively in the open on freedesktop.org (along with many other free software projects http://freedesktop.org/wiki/Software/
). The source code is at freedesktop.org, the mailing lists are there, the bug tracker is there, and the IRC channel is on freenode.net. I don't understand the Red Hat hate, or how all these companies employing developers to work on systemd is somehow a reasons to suspect those companies of building backdoors... With free software, that seems it would run counter to the interests of those companies.
But yeah, you can keep going in circles that there "aren't enough eyes on <insert any open source project here>," or that enough eyes on the code don't equate with it being secure. That's your prerogative