[kwlug-disc] given enough eyeballs, all bugs are shallow?

Bob Jonkman bjonkman at sobac.com
Fri Jan 8 23:41:46 EST 2010


Insurance Squared writes:

> Boggles my mind that what I'm running on my desktop has been built by 
> people doing it for free after work.

Mostly not.  I think that many (most) of the F/LOSS tools and programs 
have been written by corporate programmers writing for their 
corporation.  The spinoffs of Libre software have made their code 
available to the rest of us.

Think of Novell's SUSE development.  Here is a commercial Linux 
development company, releasing their code for free.  But those guys get 
*paid* by Novell to do that.  Granted, Novell pays them (and other 
programmers) to build proprietary applications that run on SUSE, but 
first they need to build the foundation OS needed by those proprietary 
applications, and that foundation OS is released freely.

--Bob.

Bob Jonkman <bjonkman at sobac.com>         http://sobac.com/sobac/
SOBAC Microcomputer Services              Voice: +1-519-669-0388
6 James Street, Elmira ON  Canada  N3B 1L5  Cel: +1-519-635-9413
Software   ---   Office & Business Automation   ---   Consulting




Insurance Squared Inc. wrote:
> There are two reasons people use foss.   We can debate why these 
> reasons are true till the cows come home (and likely will :) ), but in 
> no particular order, this is what it boils down to:
> 1) free
> 2) works better
>
> And point #2 isn't always a prerequisite.
>
> Linux on the server has been both #1 and #2 for quite a while.  On the 
> desktop, I think in the last 2-5 years it's now become #2 as well - 
> better than alternatives.  The folks building the desktop stuff have 
> made astonishing progress in that time.  Boggles my mind that what I'm 
> running on my desktop has been built by people doing it for free after 
> work.  It's been an almost exponential increase in features. 
>
> Which brings up something I find really cool to speculate on.  If 5 
> years ago linux on the desktop sucked (and it did) and 3 years ago it 
> was on par with other OS (worked great, had some issues) to it's 
> current state (better than other OS, faster, looks better, works 
> better, more features)  then what the heck is my desktop going to look 
> like in another 5 years?  I can't wait!
> g.
>
>
> john at netdirect.ca wrote:
>> kwlug-disc-bounces at kwlug.org wrote on 01/08/2010 01:00:12 PM:
>>   
>>> From: Lori Paniak <ldpaniak at fourpisolutions.com>
>>>
>>> I don't believe that the culture of FOSS makes the software more secure.
>>> In fact, there are examples of how it makes software more insecure.  For
>>> example, the libssl fiasco in Debian/ubuntu of two years ago.  There,
>>> the community (Debian package maintainer) decided to add value to the
>>> code by eliminating all the "unnecessary" files from the code.  Of
>>> course, along with them went the entropy to make decent keys.  It took
>>> more than a year for the community to notice that SSL keys produced by
>>> the code were defective and do something about it.
>>>     
>>
>> You cannot possibly mean that misusing a library is not possible in closed 
>> source world.
>>  
>>   
>>> On the upside, this example showed how the community could quickly act
>>> to remove the defective code from service and repair the damage.
>>>     
>>
>> This is one of the key facets that I think makes FOSS more secure.
>>  
>>   
>>> When presenting the advantages of open source, we ought to stick to
>>> demonstrable facts and avoid the psuedo-science of software sociology.
>>> FOSS is made by people, just like code from the other guys and gals.
>>>     
>>
>> I find it useful to talk about motivations and capabilities. Demonstrable 
>> facts tend to be statistics which are point-in-time measurements. The 
>> former has more longevity.
>>
>>   
>>> Like all software, it is broken and/or will eventually need modification
>>> if it is good enough to be used.  The advantage of FOSS is that you are
>>> guaranteed the permission and background code make these
>>> repairs/changes.  Try getting critical security patches for XP in 5
>>> years. 
>>>     
>>
>> I don't think we have to wait that long to see Microsoft software that is 
>> in use that doesn't have patch support.
>>
>> One might also contend that I can't find software patches for Red Hat 8.0. 
>> Despite being able patch the code myself, I'm just not tuned into the 
>> security community well enough
>>  
>>   
>>> As for 'lots of eyes make for small bugs' chestnut, the counter-argument
>>> would be that in desktop-land Linux has 1% of the eyeballs, OSX, 9% and
>>> Microsoft 90%.  Hence, the Apple desktop is 9x more secure than Linux
>>> and Windows 90x.  If you disagree, then you also disagree with the
>>> original claim.  The issue of software security is too complicated to
>>> summarize in a single phrase.
>>>     
>>
>> The counter-counter argument is that those OSX and MS eyeballs you refer 
>> to don't have complete vision. They essentially testers because they can't 
>> see the code.
>>
>> How many programmers, researchers, students and other concerned people are 
>> reading FOSS code? How many are reading closed code?
>>
>> I talked with Rob Day recently and realised that he fits one of my 
>> theorized anecdotes about FOSS.
>>
>> I used to use a theoretical case to explain this. Imagine a programmer 
>> that has a pet peeve about something. It could be wasted memory space, 
>> logic inefficiency, or some subtle or far-fetched vulnerability. He 
>> decides to scour a FOSS package looking to find or eradicate the issue and 
>> comes up with modest space savings. Would a corporate body have done this? 
>> If the perceived cost-benefit was too small, or just smaller than other 
>> options, then they would not do it. Would a community do this? Yes of 
>> course because one individual took initiative. 
>>
>> Rob Day exemplified this because he had a peeve and knew how to deal with 
>> it. He saw a problem with the kernel source code. The config variables 
>> used in determining what features are compiled into the kernel had lots of 
>> errors. This was a problem that bothered Rob, but didn't bother other 
>> kernel programmers enough to do something about it. Rob did something 
>> about it. He created a relatively simple program that scanned for typos, 
>> uploaded the list to a web site and notified module maintainers of the 
>> problem.
>>
>> Will all the kernel programmers out there, Rob was the first to come up 
>> with that idea. Imagine tens of thousands of programmers contributing to 
>> the kernel over the years and only one that created a solution to this 
>> problem. How many people have worked on the Windows kernel? probably 
>> hundreds, maybe a thousand. How many good ideas are not implemented?
>>
>>
>> John Van Ostrand
>> Net Direct Inc.
>>  
>> CTO, co-CEO
>> 564 Weber St. N. Unit 12
>> map
>>  
>> Waterloo, ON N2L 5C6
>>  
>> john at netdirect.ca
>> Ph: 866-883-1172
>> ext.5102
>> Linux Solutions / IBM Hardware
>> Fx: 519-883-8533
>>  
>>
>>
>>
>> _______________________________________________
>> kwlug-disc_kwlug.org mailing list
>> kwlug-disc_kwlug.org at kwlug.org
>> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>   
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>   



More information about the kwlug-disc_kwlug.org mailing list