[ale] Security and OSS

scott boss scott at sboss.net
Thu Feb 18 18:29:32 EST 2010 

I still think the many eyes is true.  Now there will always be fringe
products that won't.

Sent from my mobile...

On Feb 18, 2010, at 18:18, JK <jknapka at kneuro.net> wrote:

> Many of you have probably seen this on /. already. The article
> is thought-provoking, and touches on some issues that have
> arisen on this list recently.
>
> http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx
>
> http://preview.tinyurl.com/yapyo8w
>
>
> My initial thoughts about this are:
>
> First, I've noticed a dearth of "many eyes" on the majority of OSS
> projects'
> code bases.  Some projects, like the Linux kernel, gather a lot of
> attention.
> Most, however, are limited to the scrutiny of their core developers,
> and
> maybe a few sometime contributors who get annoyed by specific bugs.
>
> Nonetheless, for many OSS projects the core development team
> constitutes a
> cadre of hard core users, since most OSS projects are run by folks who
> need the tools they are maintaining.  When a bug is noticed that
> affects
> that group, it's likely to be fixed very quickly.  This is unlike
> proprietary software that is being maintained by paid staff, who may
> not
> have any particular need for the software they are paid to work on.
>
> The bugs that get found by OSS developers probably tend to be those
> that
> directly affect the functionality of the software.  Security bugs
> often
> have no harmful effect until they are exploited, so would be less
> likely
> to be caught by folks fixing bugs that directly affected them.
>
> Finally, I have a vague idea that ESR's "many eyes" argument may
> have been
> more true in the past, when there were fewer OSS projects, and those
> were
> being maintained by a pool of talented developers who were spread less
> thin.  But I'm not sure about that.
>
> -- JK
>
>
> --
> We Americans are a freedom-loving people, and nothing says "freedom"
> like Getting Away With It. -- Guy Forsyth, "Long Long Time"
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

More information about the Ale mailing list