[ale] Security and OSS

[JK]

Many of you have probably seen this on /. already. The article
is thought-provoking, and touches on some issues that have
arisen on this list recently.

http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx

http://preview.tinyurl.com/yapyo8w


My initial thoughts about this are:

First, I've noticed a dearth of "many eyes" on the majority of OSS projects'
code bases.  Some projects, like the Linux kernel, gather a lot of attention.
Most, however, are limited to the scrutiny of their core developers, and
maybe a few sometime contributors who get annoyed by specific bugs.

Nonetheless, for many OSS projects the core development team constitutes a
cadre of hard core users, since most OSS projects are run by folks who
need the tools they are maintaining.  When a bug is noticed that affects
that group, it's likely to be fixed very quickly.  This is unlike
proprietary software that is being maintained by paid staff, who may not
have any particular need for the software they are paid to work on.

The bugs that get found by OSS developers probably tend to be those that
directly affect the functionality of the software.  Security bugs often
have no harmful effect until they are exploited, so would be less likely
to be caught by folks fixing bugs that directly affected them.

Finally, I have a vague idea that ESR's "many eyes" argument may have been
more true in the past, when there were fewer OSS projects, and those were
being maintained by a pool of talented developers who were spread less
thin.  But I'm not sure about that.

-- JK


-- 
We Americans are a freedom-loving people, and nothing says "freedom"
like Getting Away With It. -- Guy Forsyth, "Long Long Time"