> . I have been told by numerous DoD IA people that "Open Source is bad because anyone can put anything in it" and "We'd rather have someone to call." I understand the second point -- we honestly don't have the time to run every last issue to ground and it's probably better if we do have some professional support for some of our most important tools. But the first just boggles my mind.
Given the degree to which the DoD itself, via the NSA, has subverted open standards which have the same theoretical "many eyes" protection as open source, this isn't actually a surprising attitude for DoD to have.
Whether "no open source" is the best (or even a practicable, as the rest of your post addresses) method of addressing this concern is another question.
The "IA" in DoD is generally the NSA. The NSA is made primarily of two different camps. SIGINT is their offensive side aka "hack the planet". The Information Assurance Directorate is the "blue team" who tries to protect government infrastructure.
The overall, top-level IA people who set the standards and procedures that must be followed are NSA. However each department and organization is responsible for having professionals who understand the policies and can follow the rules.
True, but this project will not be allowed to die. So we will see what happens when the proverbial immovable object (IA) meets an unstoppable force (people with stars on their shoulders).
Well the flask security architecture (about 10 years of research that culminated in what is now SELinux) was written specifically for Information Assurance by IAD so... Blue Team.
Given the degree to which the DoD itself, via the NSA, has subverted open standards which have the same theoretical "many eyes" protection as open source, this isn't actually a surprising attitude for DoD to have.
Whether "no open source" is the best (or even a practicable, as the rest of your post addresses) method of addressing this concern is another question.