| > Proprietary software has NO public eyes on it, zero If that were true, security flaws would never be found in proprietary software by outsiders. And they are, so it's not true. Eyes have less visibility into the codebase, but people are looking and do find flaws. > How many undisclosed vulns does your vendor have? You'll never know. How many undisclosed vulns does RedHat, Canonical, or Mozilla have in their FLOSS software? You'll never know. > Of course FLOSS has bugs, it's software, and ALL software has bugs. Then "many eyes makes bugs shallow" is at least partly debunked and your "ANY eyes make bugs shallow" is debunked completely - otherwise the original developers would see every bug, in FLOSS and proprietary software. > In the FLOSS case you know what everyone else knows There may be bugs which nobody knows about. The claim "many eyes make bugs shallow" suggests that open source software has more eyes on the code, and that having more eyes on the code is all it takes to reduce bugs. OpenSSL turned out to have very few eyes on the code, and it wouldn't be too surprising if codebases with many eyes on them had the developers focused on the bits they were developing and not looking for security flaws. |