[marginalx]

Clearly for commercial oriented opensource software, security through obscurity is one way to keep the pace in the short term. Not an option for proper open source software. Will this be the case that people who use open source software that is easily detectable will also start to shy away from using them for the fear of zero-days?

One of the benefits of Open source has been that there are more eye balls on the source, leading to more secure code/better quality. I think given enough time the bug reports will plateau and we will be back to a normal cadence - once the tsunami is over, hopefully things will settle at a more manageable cadence .

[salsakran]

I'm not sure that the benefit of many eyes helps here. So much of this bulk scanning is low-effort, and if you're a smart person developing closed source software you get the benefits of bulk scanning, but _at the time of your choosing_ .

OSS has always had tradeoffs and I sadly think this one is going straight to the "Cons" column. We still think the Pros outweigh the Cons, but this is NotGreat.

[dynawicki]

This benefit you speak of is actually just a meme.

Source that is unmaintained is dead. Nobody is looking at it, even the maintainer has something better to do.

Do you know whats even more powerful than "eyeballs"? Money.

[Joel_Mckay]

Lets be honest, LLM with fuzzers are going to pound any llvm generated binary right in the hubris.

Won't matter if is closed source, signed, and or obfuscated. =3

[zephen]

Don't think you even need to qualify that with "llvm generated."

[Joel_Mckay]

Nondeterministic compiled code-motion in llvm means a workaround can't reliably be patched given version permuted bug emergence.

Fun times =3

[zephen]

It's certainly possible to write optimizations that generate nondeterministic llvm outputs, but the docs explain conditions when that can happen, and warn against it.