[kwlug-disc] given enough eyeballs, all bugs are shallow?

Robert P. J. Day rpjday at crashcourse.ca
Fri Jan 8 05:35:28 EST 2010

On Fri, 8 Jan 2010, Chris Frey wrote:

> On Fri, Jan 08, 2010 at 02:52:22AM -0500, Robert P. J. Day wrote:
> >   any other thoughts?  i've always liked the idea of "given enough
> > eyeballs, all bugs are shallow," but i don't think it can stand by
> > itself.  i think the defense of OSS as being more secure needs
> > more explicit points as to *why* it should be inherently more
> > secure.
> I think the maxim applies to both open and closed software.  The
> main benefit that FLOSS has is that the eyeballs can see more of the
> problem, and therefore it multiplies the usefulness of the work.
> But it works for closed source too.  There are untold hundreds of
> blog posts and forum posts of poor end users figuring out
> workarounds for their game systems or Microsoft Windows systems or
> driver problems or virus issues.
> If you have a software problem, which platform would you rather use
> your eyeballs on?  Open or Closed?
> But just because something is available doesn't mean it will be
> looked at. Not everyone reads The Art of Computer Programming, but
> most consider it a great work.  Same for FLOSS source code, in my
> opinion.

  again, i agree with your points in general, but this sort of
presentation still falls into the category of what i call "the warm
fuzzies."  sure, it seems undeniable that OSS will be more secure, but
i'm interested in some specific rationale for that.  and i think the
arguments have to be made more precise.

  for instance, i think there's a difference in saying that OSS *is*
automatically more secure versus claiming that it can more easily be
*made* more secure.  even if one postulates that OSS is not inherently
more secure by default, the argument could be made that, because of
its internal visibility and the fact that bugs can be located and
patches generated extremely quickly, OSS can be *made* more secure
much more quickly than closed source software.  i think that argument
stands on its own.

  that's the sort of thing i'm interested in -- arguments that go
beyond the warm fuzzies and use precise and well-defined examples of
*how* OSS is more secure.


Robert P. J. Day                               Waterloo, Ontario, CANADA

            Linux Consulting, Training and Kernel Pedantry.

Web page:                                          http://crashcourse.ca
Twitter:                                       http://twitter.com/rpjday

More information about the kwlug-disc mailing list