[sarciszewski]

> I'll take a well-trained amateur that hates complexity over an expert any day.

I would consider someone sufficiently well-trained, yet wise enough to understand the value in simplicity, humble enough to listen to the ideas of others and keep learning, and curious enough to actively consult others for dissenting ideas to be one of tomorrow's experts.

In other words, I agree. :P

[nickpsecurity]

Very well worded haha. Given my background, I should throw in an exception for INFOSEC. If it's high security, you want as many experts as you can get to review various aspects for pitfalls and possible suggestions. Just too much to worry about for one master and good amateurs as complexity grows. Still leave final decision and priorities on any of that to the leader who was a master or an expert that's a cut above the rest in wise decision-making. That should filter BS and committee-think while getting review benefits.

That's actually been my recommendation for a while for high assurance. What you think of it?

[sarciszewski]

I like it.

Somewhat related anecdote: Trying go get WordPress to adopt a CSPRNG was painful for a year.

Then I started paragonie/random_compat and like 30 other people pitched in to improve it, and then I suggested just using that (so new code can be written against PHP 7's API). And so the problem was solved.

I'd tend to agree that, for security matters, a small team of people focused on success with the knowledge and/or resources they need to execute on their own initiatives gets a better result than a large team with varied interests and use cases.

[nickpsecurity]

Good job on winning that uphill battle. One of those little things that can prevent immeasurable damage given its userbase.

[sarciszewski]

That was my intention. Dion Hulse really pulled through on WP's end, and he's quick to pull in upstream changes into their trunk branch for testing. :)