[colatkinson]

> But there is no excuse for using 3rd party libs. Just don't use it. If you not know: do not use it.

Wait, what? That goes against one of the core benefits of open source software--that having many eyes on a problem decreases the risk of bugs. I'm willing to bet that if Uber had to implement their own machine learning/vision libraries from the ground up, there would be significantly more issues.

[henrikeh]

Is there any evidence that this is the case? That simply putting more eyes on a system will reveal its problems?

Certification etc is about process. Open source code can be used in a safety critical product, but it must audited and confirmed against the system requirements.

[PinguTS]

Please do not get me started with the argument over "it is open source, so there are many eyes who have seen the code".

The problem with that is, nobody audits code, if it is working just for fun. And even if it is buggy, then most people look for bugs in their own software and then they work around, so that the original piece is not modified.

We have this seen in many open source projects. Remember all the obvious, mostly security related, bugs that weren't uncovered for years. They weren't uncovered because everybody thought: "huh, that is hard. I assume that other more experienced than I will have reviewed it, so I will trust it."

The thing with certification is, that it is required that it is really reviewed. That there is a guarantee that it is reviewed. That there were people with a different mind set, with different background have reviewed it and as such have brought in their own view.

Certification does not guarantee that something bug free. It guarantees only, it is reviewed. Open source has no guarantee that it is reviewed. There is only hope, that someone has reviewed it.

[Schwolop]

In ISO13485 medical grade software (certain levels of it anyway), the same concept applies. Anything not written in house is "SOUP"; Software of Unknown Provenance. You're required to pass that through a review process before using it, and in many instances it's not worth the effort to review compared to instead just re-writing it yourself.