[ale] Security and OSS

Geoffrey lists at serioustechnology.com
Fri Feb 19 04:45:10 EST 2010


JK wrote:
> Many of you have probably seen this on /. already. The article
> is thought-provoking, and touches on some issues that have
> arisen on this list recently.
> 
> http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx
> 
> http://preview.tinyurl.com/yapyo8w
> 
> 
> My initial thoughts about this are:
> 
> First, I've noticed a dearth of "many eyes" on the majority of OSS projects'
> code bases.  Some projects, like the Linux kernel, gather a lot of attention.
> Most, however, are limited to the scrutiny of their core developers, and
> maybe a few sometime contributors who get annoyed by specific bugs.
> 
> Nonetheless, for many OSS projects the core development team constitutes a
> cadre of hard core users, since most OSS projects are run by folks who
> need the tools they are maintaining.  When a bug is noticed that affects
> that group, it's likely to be fixed very quickly.  This is unlike
> proprietary software that is being maintained by paid staff, who may not
> have any particular need for the software they are paid to work on.
> 
> The bugs that get found by OSS developers probably tend to be those that
> directly affect the functionality of the software.  Security bugs often
> have no harmful effect until they are exploited, so would be less likely
> to be caught by folks fixing bugs that directly affected them.
> 
> Finally, I have a vague idea that ESR's "many eyes" argument may have been
> more true in the past, when there were fewer OSS projects, and those were
> being maintained by a pool of talented developers who were spread less
> thin.  But I'm not sure about that.

One note, I have, on occasion, reviewed code that I an not an active 
developer.  Call me sick, I like to check code out.  That being said, 
OSS does have the added benefit of folks who are not the developers of 
the code reviewing the code as well.

-- 
Until later, Geoffrey

"I predict future happiness for America if they can prevent
the government from wasting the labors of the people under
the pretense of taking care of them."
- Thomas Jefferson


More information about the Ale mailing list