The Trials And Tribulations Of Open Source Software Development
Unsigned Applications And Unpatched Code
There are two stories today looking at open source software and small developers trying to get their apps to run on Windows that are related but probably not cause and effect. RiskSense vetted a large number of open source programs looking for unpatched security bugs which are known and documented on sites such as the National Vulnerability Database. They skipped the big ones such as Linux and Drupal as the large user base generally detects and reports issues vociferously and the patches tend to be made available quickly; even if not installed by the userbase immediately.
They looked at repositories such as GitLab, MongoDB and Elasticsearch to examine code for known security bugs and they certainly found them. While it is not terribly surprising that some code contains problems, it is the trend that they are seeing that is worrisome. The 2018 study revealed 421 bugs, however in 2019 that count has jumped to 968 last year which is not the result we want to see. Slashdot mentions PostgreSQL as one of the worst for this particular issues with reporting and resolution delays of eight months.
The Register is concerned about a different aspect of using open source programs on Windows, as Microsoft has added more steps to running unsigned software. If a developer does not pay for a code-signing certificate then installing their app on Win10 now involves a ridiculous number of nag screens to get through in order to be able to use the software. They spoke with Tony Pottier, the developer of ImageView about how this impacts his end users.
The Register tried installing an unverified app and counted seven screens to get through before installation was possible. The first step is quite possibly the worst, as when you attempt to download the file you are only offered the options to Delete or Cancel, unless you notice the additional options and open your browsers full download manager to find a way to convince your machine to download the file, long before being able to actually install it. This is definitely going to have an effect on smaller developers who can’t afford to the process to get a certificate.
A developer of a Windows utility has protested that "Microsoft Defender SmartScreen is hurting independent developers" because of the number of warnings and obstacles placed in front of users who download installers that are not signed or sufficiently well known.