[kwlug-disc] given enough eyeballs, all bugs are shallow?

[Paul Nijjar]

On Fri, Jan 08, 2010 at 05:35:28AM -0500, Robert P. J. Day wrote:
> 
>   that's the sort of thing i'm interested in -- arguments that go
> beyond the warm fuzzies and use precise and well-defined examples of
> *how* OSS is more secure.

I am not sure that FLOSS is more secure. I am pretty sure I don't
believe the eyeballs argument. Here are some reasons why: 

0. There are too many free riders. Companies can get away with
releasing GPL "Community Versions" and closed-source "Enterprise
editions" of their software because they know we are free-riders and
won't fill in the missing bits in the community version software. 

1. Many bugs don't get reported, because you have to be an expert to
report a bug, and you need to be running the latest bleeding-edge
version of whatever software is in question. You also need to phrase
your question in exactly the right way using exactly the right
terminology, or people snark at you and point you to ESR's patronizing
"Smart Questions" document. 

2. Many of the software projects we depend upon are subsidized by big
companies for reasons I often cannot understand and do not see as
sustainable. Then they are bought by Oracle and people freak out. 

I know I am exaggerating and not providing numbers. I still despair
for the future of free software. Many eyeballs only work if enough of
those eyeballs are willing to contribute improvements. 

Counterexamples to this are the FLOSS Fund nominee I am considering,
which is an organization that actually does inspect source code for
flaws, and has done quite a bit to make important software bits
better.

- Paul