@Dashrender said:
Also, don't take this as my saying that closed source is better - I'm not. I'm just saying that anyone who isn't already familiar with this situation needs to be aware that just because something is open source does in no way imply that anyone has ever done an audit, let along a security audit of the code.
No, but you are implying that open source is equal or worse, but it is not. It is better (or equal.) It literally has no downsides compared to closed source (for the end users, obviously what is bad for the customers might be good for the vendor) but does require customers (but not every customer) to leverage to have it still be beneficial for all (one enterprise doing an audit and checking or improving code helps everyone). The same code made open or closed will always be better or equal to the same code closed source.
You are completely correct that no one should think that the nature of a license for code visibility would mean that it is magic and that audits are automatic - but I've never heard of anyone implying or believing such a thing. I think we were all assuming that no one thought that open sourcing code was doing anything like that.
But we also have the vast majority of enterprise open source software being audited all the time. So in one way, we have to be aware of basics like source licensing does not imply an audit. At the same time we have to be understanding that major companies certainly do audit core code, especially security code, regularly and that there is a level of auditing going on on enterprise open source that exists nowhere else.
