Hacker News new | past | comments | ask | show | jobs | submit login

This is where the 'many eyes' things comes into play; if the whole distro is OSS, then you can be pretty sure that it's good.



Most people never review source code, and they certainly don't disassemble and review all the binaries. 'Many eyes' is a security fallacy in cases like this.


Tails is ridiculously well known; if something was bad in it, it would be big news.


If it was found. Which is the point.

Debian, which is much better known and in much wider circulation than Tails generated weak SSH keys for two years. Yes, it was indeed very big news. When it was found. After two years.

Oh, and tin-foil-hat on: Do we know (actually know-know, not just assume, think, trust) that the weakness wasn't planted there?


TAILS is actually now done by the Tor Project, so I think they have a vested interest in vetting it before it is released.

https://www.torproject.org/projects/projects/


And Debian doesn't have a vested interest in making sure a central security component isn't weakened?

Also, how do you know that Tor and Tails aren't infiltrated by the enemy (for any value of "enemy")?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: