[kwlug-disc] given enough eyeballs, all bugs are shallow?

Khalid Baheyeldin kb at 2bits.com
Sat Jan 9 20:57:57 EST 2010

On Fri, Jan 8, 2010 at 11:01 PM, Paul Nijjar <paul_nijjar at yahoo.ca> wrote:

> On Fri, Jan 08, 2010 at 05:35:28AM -0500, Robert P. J. Day wrote:
> >
> >   that's the sort of thing i'm interested in -- arguments that go
> > beyond the warm fuzzies and use precise and well-defined examples of
> > *how* OSS is more secure.
> I am not sure that FLOSS is more secure. I am pretty sure I don't
> believe the eyeballs argument. Here are some reasons why:
> 0. There are too many free riders. Companies can get away with
> releasing GPL "Community Versions" and closed-source "Enterprise
> editions" of their software because they know we are free-riders and
> won't fill in the missing bits in the community version software.

It does not matter how many free riders are there. What matters is the
0.01% of the users who participate and contribute back to the project
in meaningful ways.

If you have a critical mass of these, the project is healthy. How much
depends on the project size, scope, development model, ...etc.

> 1. Many bugs don't get reported, because you have to be an expert to
> report a bug, and you need to be running the latest bleeding-edge
> version of whatever software is in question. You also need to phrase
> your question in exactly the right way using exactly the right
> terminology, or people snark at you and point you to ESR's patronizing
> "Smart Questions" document.

Yes, the bleeding edge version is a problem. We see that in Drupal a lot.
This causes a delay in reporting, but eventually things get fixed. It takes
two versions instead of one, but it does get fixed.

> 2. Many of the software projects we depend upon are subsidized by big
> companies for reasons I often cannot understand and do not see as
> sustainable. Then they are bought by Oracle and people freak out.

Fair concern here (re: MySQL). But the GPL is what protects the project.
It remains to be seen if the code base for MySQL is too great for a
to sustain the project in an open development model or not.

In Drupal, companies sponsor features by employing core developers, but
in no way do they dictate what features go in. It is all by community

> I know I am exaggerating and not providing numbers. I still despair
> for the future of free software. Many eyeballs only work if enough of
> those eyeballs are willing to contribute improvements.

A healthy project is the one that has enough eyeballs AND hands. It depends
on the community building skills of the founders. If they alienate the
the project may die, or it may fork.

Remember MamboServer? It was forked to Joomla and that was healthy for
a long time. The name changed, but the code AND the community lived on.
Khalid M. Baheyeldin
2bits.com, Inc.
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20100109/a5801edf/attachment.html>

More information about the kwlug-disc mailing list