Feature Request: Open Source Vivaldi; it's important for security.



  • As is proven by other Open Source projects, security bugs are found by independent researchers faster when source code is available. It also establishes trust that there are no backdoors. You should release Vivaldi source code under a free software license. https://www.gnu.org/licenses/license-list.html#GPLCompatibleLicenses Thank you. :side:



  • Though f/loss projects are not without merits, and I support the open source movement too, this is a pet project of a couple of dedicated people on a mission to please a very specific group of users with their product (early in development and testing yet). Their decision seems currently to keep it close to their hearts (to avoid unnecessary, pre-emptive forking and fragmentation and to protect their investment in it). They don't yet have the basis as like Mozilla, or the Document Foundation are being an umbrella for hundreds of programmers and to coordinate and direct the lifepath of a huge project. Until then, let's give them the support they need to spread their wings. As their portfolio widens (mail client, etc.), their ranks advance, and their products mature, they might decide on such changes.

    Understandably, the loss of the presto engine, or for example the demise of TrueCrypt are omens in the air, but not a unalterable, set-in-stone glimpse of future for the Vivaldi browser.

    BTW security audits can be conducted on close-source projects as well with a NDA (non-disclosure agreement) regarding the source code. Though I, personally was satisfied with the way the old opera was kept quite secure (by some of the same people currently working on Vivaldi) albeit being closed-source also.


  • Vivaldi Translator

    In the section of the forum for the browser, this topic has already been raised.
    https://vivaldi.net/en-US/forum/vivaldi-browser/828-please-open-source-this-vivaldi
    (This section of the forum is for discussing security in general.)



  • @Dr.Flay:

    In the section of the forum for the browser, this topic has already been raised.
    https://vivaldi.net/en-US/forum/vivaldi-browser/828-please-open-source-this-vivaldi
    (This section of the forum is for discussing security in general.)

    I would argue that the fact Vivaldi is not open source is a pretty big security issue. There is no way the code can be audited independently that way.



  • I disagree. Open source doesn't inherently make better software or more secure software. It just shifts the burden on assuming somebody will take care of it, dedicate their time (for free, of course) to maintaining it and is also the single most knowledgeable person on the planet to say with total authority that the software is flawless. It's a silly ideal. And it introduces a ton of new issues that your blanket supposition doesn't account for, like forking, community drama and licensing.

    Windows is closed source. Opera is closed source. Yet somehow they manage to innovate constantly without relying soliciting contributions from the oss community. OSS isn't for everyone or every project.

    The reality is if you do not trust the Vivaldi devs enough to say outright 'we have not placed any intentional backdoor' and believe them, then don't use the product. Even as a major privacy advocate, I don't expect they would lie about this. To assume otherwise is paranoia.


  • Moderator

    <offtopic>Vivaldi is a company and i dont think they will throw away their knwoledge and work by going to GPL or other OSS licence.
    <offtopic>

    If someone wants to help the browser getting more secure, she/he can ask Vivaldi helping in testing internally.</offtopic></offtopic>



  • @dib_:

    I disagree. Open source doesn't inherently make better software or more secure software. It just shifts the burden on assuming somebody will take care of it, dedicate their time (for free, of course) to maintaining it and is also the single most knowledgeable person on the planet to say with total authority that the software is flawless. It's a silly ideal. And it introduces a ton of new issues that your blanket supposition doesn't account for, like forking, community drama and licensing.

    Windows is closed source. Opera is closed source. Yet somehow they manage to innovate constantly without relying soliciting contributions from the oss community. OSS isn't for everyone or every project.

    The reality is if you do not trust the Vivaldi devs enough to say outright 'we have not placed any intentional backdoor' and believe them, then don't use the product. Even as a major privacy advocate, I don't expect they would lie about this. To assume otherwise is paranoia.

    but you are wrong


  • Moderator

    FlippyDee:

    If you feel you need an open source browser, then you should use one. Arguing the matter here will ultimately come to nothing.



  • @dib_:

    I disagree. Open source doesn't inherently make better software or more secure software. It just shifts the burden on assuming somebody will take care of it, dedicate their time (for free, of course) to maintaining it and is also the single most knowledgeable person on the planet to say with total authority that the software is flawless. It's a silly ideal. And it introduces a ton of new issues that your blanket supposition doesn't account for, like forking, community drama and licensing.

    Windows is closed source. Opera is closed source. Yet somehow they manage to innovate constantly without relying soliciting contributions from the oss community. OSS isn't for everyone or every project.

    The reality is if you do not trust the Vivaldi devs enough to say outright 'we have not placed any intentional backdoor' and believe them, then don't use the product. Even as a major privacy advocate, I don't expect they would lie about this. To assume otherwise is paranoia.

    While I do somewhat agree your examples of the closed source projects innovating is awful. Opera is just adding back Opera 12 features and Microsoft is busy with implementing NSA backdoors.



  • I disagree that making it open-source makes ist safer. What about the Heartbleed bug in OpenSSL, which hasn't been discovered for years? What about the shellshock bug in bash?


  • Moderator

    //EDIT: Doublepost because of instable DSL


  • Moderator

    Vivaldi will not be Open Source. It is a commercial product and the company does not gift their investment to OpenSource.
    I think, in near future Vivaldi may give patches and enhancments to the Chromium project like Opera ASA and others do.

    OpenSource does not make a software more secure. And security audits are not done for nothing by external people.

    Vivaldi has a security specialist. I think he and other devs take care, that the product wil be secure.



  • If it is any consolation, vivaldi already is "partially" opensource. The modifications made to the C++ core (ie chromium) are cosmetic at best, and one can imagine this scenario:

    1. Reverse engineer the necessary changes to chromium (cursory looks hint it should be fairly simple). Then modify chromium to make it able host the vivaldi blob.
    2. Use chromium with vivaldi js blob.

    This way, we could have our cake and eat it too. People could still be pretty certain vivaldi is as secure as chromium is, while vivaldi company could retain their closed source business model. The aforementioned split will most likely happen if vivaldi stays with obsolete chromium core for whatever reason. Or alternatively, vivaldi company could show us a good faith - opensource the C++ portion, as bugs in that part are hard for community to fix.

    I can already make changes to the UI side, though can't post it online because it would break TOS and it's counter productive as most of heavy development goes on there.



  • Classic Opera was not open-source, nor is Blink Opera, and to my knowledge it has always fared at least as well as Firefox when it comes to security tests.


  • Moderator

    Do you really think that a pool of unorganized (or even anarchic) programming people will contribute good and safe code?
    Security testing and reporting can be done without the source.

    And reversengineering and forking Vivaldi? OMG. Lets call it Mozart, and it will die shortly because of no employment and importance.



  • And reversengineering and forking Vivaldi? OMG. Lets call it Mozart, and it will die shortly because of no employment and importance.

    Plenty of people did, to fix simple bugs and do custom theming. Albeit obfuscated, resources/vivaldi/bundle.js is not exactly rocket science. However it's close to impossible to do proper "rogue" fork out of that as it is obfuscated, not to mention vivaldi folks wouldn't be too happy about it, besides, they're the ones who write that code, unlike chromium. Best you can do is put hooks here and there and bolt some mods on top of it - similiar situation to minecraft, where you hope the extension catches enough the original creators actually adopt it.

    The difficult part is the chromium core fixes - you can't pretty much touch anything there without wasting a lot of time REing a binary which is already 99% open source, yet closed for no apparent reason, which is somewhat annoying.

    Do you really think that a pool of unorganized (or even anarchic) programming people will contribute good and safe code?
    Security testing and reporting can be done without the source.

    I guess windows is more secure than linux then. Ever heard of patch review guidelines? Chromium has that :)



  • Vivaldi is pretty much already open source. Jon even said so many times on his Twitter Q&A. Now, whether that means the entire code is completely open-source, I don't know, or that it's at least open-source enough to satisfy anyone and can still protect itself from copyright and benefit from privacy/security and contribution.


  • Moderator

    See https://vivaldi.com/source/ for some Source ;)


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.