[kwlug-disc] given enough eyeballs, all bugs are shallow?

Robert P. J. Day rpjday at crashcourse.ca
Fri Jan 8 02:52:22 EST 2010 

  i'm currently perusing the book "the security development lifecycle"
as it was recommended to me as a well-written overview of designing
and developing secure software.  it's a little annoying as it's
definitely written from a MS perspective, and very early on, the
authors diss the idea that open source necessarily makes more secure
software.  specifically, they don't put much stock in that whole
"given enough eyeballs, all bugs are shallow" maxim.

  while i think that OSS is, at some fundamental level, more secure
*because* of its visibility to the world, i have to admit that the
authors seem to have a point in that it's more of a warm, fuzzy
feeling than a strictly quantifiable metric.  so i was wondering if
there are solid, compelling arguments for claiming that OSS is more
secure.  here are a couple points i've been thinking of.

  even if you start with the assumption that OSS will have its share
of *initial* bugs, when those bugs are discovered and patches are
submitted, in most cases, people who are following the development
will see the patch being submitted.  and because of that public
scrutiny, it's highly unlikely that a patch to fix *one* bug will
introduce *another* one by accident.  this happens on the kernel
mailing list all the time -- someone submits what looks like a simple
fix, only to have someone else immediately point out that that patch
creates a new problem of its own.  patch is fixed, resubmitted, and
life goes on.

  a second point would be that more and more OSS projects allow
anonymous users to check out and build the development version of the
repo so they can play along at home.  they should, of course, expect
problems since it *is* development, but having people doing this makes
it far more likely that coding bugs will be identified before the
official release.  and having access to the commit logs is useful in
its own right.

  any other thoughts?  i've always liked the idea of "given enough
eyeballs, all bugs are shallow," but i don't think it can stand by
itself.  i think the defense of OSS as being more secure needs more
explicit points as to *why* it should be inherently more secure.

rday
--

========================================================================
Robert P. J. Day                               Waterloo, Ontario, CANADA

            Linux Consulting, Training and Kernel Pedantry.

Web page:                                          http://crashcourse.ca
Twitter:                                       http://twitter.com/rpjday
========================================================================

More information about the kwlug-disc mailing list