This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] Survey results on Atlas open-sourcing
- Previous message (by thread): [atlas] Survey results on Atlas open-sourcing
- Next message (by thread): [atlas] Survey results on Atlas open-sourcing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Iñigo Ortiz de Urbina
inigo at infornografia.net
Wed Jan 4 17:07:10 CET 2012
As the survey shows, and as Simon just stated, I do not think that security through obscurity is the way to go, provided the nature of this volunteering measurement platform. However, it is not all that simple, IMHO. I particularly support the idea of releasing the source code gradually, even under temporary NDAs if necessary, in order to improve the security of probe or controllers by getting the code audited by more people. Enhancing the system by introducing more features (different traceroute algorithms and options) or polishing the existing ones (IPv6 support, which is currently limited by the busybox version probes are running atm, IIRC) is something possible and desirable, if we dont forget that its Atlas itself what has to improve. I personally do not endorse the creation of further parallel, *public* measurement platforms. This is a hairy topic that guarantees a nice discussion on its own thread or meeting, but if I had to say something, I would say Atlas is doing pretty well and that a hybrid model allowing independent probes to join in a controlled fashion (as it has already been suggested) making Atlas grow... that'd be the way to go. There are way too many factors to consider here (tampering, tweaking, faking, validating the measurement results; reasearch interest in the measurements performed and archived data, how to deal with that possible variety of measurement types...) and so a single post is clearly not enough to elaborate, so... please take it with a grain of salt. Philip has been able to articulate my ideas much better than myself, so I will simply +1 his educated points: On Wed, Jan 4, 2012 at 4:45 PM, Philip Homburg <philip.homburg at ripe.net> wrote: > On 1/4/12 16:11 , Simon Josefsson wrote: >> >> "Richard L. Barnes"<rbarnes at bbn.com> writes: >> >>> Analyze as you will :) >> >> One thing that strikes me from the discussion has been an absence of >> answers to this question: What would reasons be to _not_ release the >> source code? >> >> I believe that unless there is a strong reason not to release the >> source, it should be done because there is interest in it and there is >> potential to get improvements out of it. >> > There are some non-technical arguments that I won't list here. > > One argument for not releasing is security by obscurity. It is easier to > find security holes if you can just download the source. Instead of trying > to obtain a probe, getting the firmware out of it and decompiling the > binaries. In short, within RIPE NCC the question needs to be answered > whether the source can released as is, or whether a security audit is > required. Needless to say, a security audit is likely to cost money. > > Dumping the source just as a tar file on a web site is easy. But that will > be one way communication. And most likely fork the project. Not good. > +1 I couldnt be more openly against unnecessary forks. > If you want to turn it into an open source project, then a lot of stuff has > to happen. In particular, the project has to be mature enough that it can > actually be installed without too much pain. Of course, this costs time and > money. > +1 Its always good to deal with any subject around Atlas, but perhaps it is not the _optimal_ moment to release the source, to say the least. > > > >
- Previous message (by thread): [atlas] Survey results on Atlas open-sourcing
- Next message (by thread): [atlas] Survey results on Atlas open-sourcing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]