[kwlug-disc] given enough eyeballs, all bugs are shallow?

Paul Nijjar paul_nijjar at yahoo.ca
Wed Feb 17 22:42:51 EST 2010

On Tue, Feb 16, 2010 at 02:35:15PM -0500, Khalid Baheyeldin wrote:
> Reviving this thread ...
> Microsoft pitches in re: "given enough eyeballs, all bugs are shallow".
> http://blogs.msdn.com/shawnhernan/archive/2010/02/13/
> microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx
> Obviously, Microsoft has no love for that argument for known reasons ...

Unsurprisingly, I agree with a good fraction of that essay. Most of us
are not doing security audits, and that is hurting us. Paying people
Microsoft wages is a good way to get enthusiastic code auditors and

One contrary side of this story that somebody else has probably
mentioned: bug reports. In my opinion public bug reports are one of
the key factors that make open-source software competitive. There is
no good reason why transparent bug reports should be limited to open
source software, but for whatever reason it is (or up until recently
it was) embedded in the culture. 

Not only do transparent bug tracking systems help find bugs, but they
help document workarounds that fix the problem until a developer gets
the energy to fix the bug in question. That is a concrete way in which
many eyeballs work together to produce better code, even if many of
those eyeballs are not linked to programmer brains. 

As a person sentenced to work with proprietary Microsoft software, I
really wish I could visit http://bugs.microsoft.com (or better yet
http://bugs.microsoft.com/<packagename> ) and get useful information.
Knowing that such information is available for second-class
open-source software just makes the punishment worse. (Yes. I should
probably figure out how to subscribe to TechNet or something, because
that does not weed out useful eyeballs at all.) 

- Paul


More information about the kwlug-disc mailing list