[adestefan]

The “many eyes” hypothesis is routinely debunked when severe security bugs are found in things like the Linux kernel that have been there for years. The same is true for standards that end up being fundamentally broken at later dates. In the end software and hardware is so overly complicated that we cannot currently build secure systems.

[imglorp]

Debunked is a loaded term.

It's a tradeoff. The point is not MANY eyes, it's ANY eyes. Proprietary software has NO public eyes on it, zero, and the vendor must (1) report to you promptly when there's a new vulnerability, (2) produce a fix for it. Most vendors do neither until forced. How many undisclosed vulns does your vendor have? You'll never know.

Of course FLOSS has bugs, it's software, and ALL software has bugs. In the FLOSS case you know what everyone else knows, AND you can fix them, hire someone to do it, or choose not to use the software, all with that knowledge.

[jodrellblank]

> Proprietary software has NO public eyes on it, zero

If that were true, security flaws would never be found in proprietary software by outsiders. And they are, so it's not true. Eyes have less visibility into the codebase, but people are looking and do find flaws.

> How many undisclosed vulns does your vendor have? You'll never know.

How many undisclosed vulns does RedHat, Canonical, or Mozilla have in their FLOSS software? You'll never know.

> Of course FLOSS has bugs, it's software, and ALL software has bugs.

Then "many eyes makes bugs shallow" is at least partly debunked and your "ANY eyes make bugs shallow" is debunked completely - otherwise the original developers would see every bug, in FLOSS and proprietary software.

> In the FLOSS case you know what everyone else knows

There may be bugs which nobody knows about. The claim "many eyes make bugs shallow" suggests that open source software has more eyes on the code, and that having more eyes on the code is all it takes to reduce bugs. OpenSSL turned out to have very few eyes on the code, and it wouldn't be too surprising if codebases with many eyes on them had the developers focused on the bits they were developing and not looking for security flaws.

[whoopdedo]

Complexity counteracts the many eyes principle. That doesn't invalidate it. A large codebase that is difficult for one person to read will bury a bug for the same reason being open source reveals it.

What you're falling to is the selection bias because bugs in open source software are more often publicised than when a private team discovers something and patches it without telling anyone. Same as an open source bug being fixed quietly. Like the so-called VLC vulnerability that turned out to be the fault of the tester's out of date system library that had already been fixed upstream.

[pbhjpbhj]

>The “many eyes” hypothesis is routinely debunked when severe security bugs are found in things like the Linux kernel that have been there for years. //

Surely to debunk the theory you have to show that fewer bugs are in proprietary software of the same vintage?

AFAIK the many eyes hypothesis is that: as time progresses fewer exploitable bugs will exist in software that has the source open for inspection than in comparable closed source software(?).

When an ages old exploit/bug gets patched that is the many eyes principle working; a piece of software can't get more secure (or otherwise improve) without patching old code, surely.

[toxik]

I don't think it's as easy as saying "measles exists therefore vaccines don't work." Do you have actual studies on this that you can cite?

[pritambaral]

It is just as easy, and just as wrong, as saying "measles exists therefore vaccines don't work".

[wadkar]

I would like to read more about this many eyes hypothesis (and its falsification). Could you please share some links for the same?

[toxik]

https://en.m.wikipedia.org/wiki/Linus's_Law This is the term notable hacker Eric S. Raymond (esr) popularized in his seminal work, The Cathedral and the Bazaar. Read it if you care at all about software engineering processes.

I don’t, so I didn’t.