[falcolas]

> At least with Linux we have thousands of open source developers keeping an eye on things

A bit of pithy sarcasm for your morning: Those thousands of eyes worked so well with OpenSSL, didn’t it?

Those eyes are less vigilant than you might think, especially when the eyes aren’t being paid to monitor a particular chunk of code.

[sudosysgen]

Yes, they worked pretty well for OpenSSL. The issue was found eventually. In a proprietary system, it may have been there forever.

[jcranmer]

You're discounting the risk that, because it's open source, everyone assumes that someone else has done the security analysis. That is precisely what happened with OpenSSL--everyone assumed, since it's a big open source package, that somebody was keeping on top of this sort of issue, but nobody was.

That there have been two major OpenSSL security fumbles (first was the Debian OpenSSL fiasco, second Heartbleed) sort of suggests that the value of "many eyes" for ensuring security is vastly overrated.

[pbhjpbhj]

How's that different to MS Windows, we assume the code is good, but some of the errors/oversights that crop up beggar belief.

[turc1656]

It's not different. I think that's their point. FOSS like Linux doesn't automagically make it "safer" than proprietary systems like Windows.

[falcolas]

It was not found by general developers doing security audits, it was found by a security company doing fuzzing attacks against SSL libraries.

And not to mention that Windows - the explicitly called out alternative from this article - makes their source available for security companies (as well as general developers who sign up for their MSDN program).

[ryanlol]

> In a proprietary system, it may have been there forever.

Why? Heartbleed was discovered by fuzzing the compiled binaries, not by eyeballing the source code.

Nothing prevents you from performing the exact same research on proprietary software.