[starkness]

We're in the process right now of writing up a more in-depth policy proposal, but you're spot on in terms of different levels of risk management. And we're not at all against security testing, which is also one of the great benefits of FOSS. ("Given enough eyeballs, all bugs are shallow.")

And the audits comprise financial audits as well, which surely make sense for bitcoin exchanges and companies holding funds, but not so much for open source projects or technologies that are built around bitcoin but where no funds are held.

That said, the actual regulatory proposal has many more requirements than even mentioned in the article (including quarterly reports to the NY State Superintendent, collecting of user data, and the possibility of being denied a license without a system for due process in place), and things that the creator of a Reddit tip bot surely couldn't comply with.

[nmrm]

This is great to hear. The best way for software to keep itself relatively unburdened by (poorly implemented) regulation is for industry to hold itself to high standards. And why wouldn't we? We're proud of what we build.

I'll be very curious to see how companies built up around client software but not directly handling money are treated in your proposal. I think safety-critical industries cover these in various different ways, normally under the assumption that the companies are producing either a) "components" for use in safety-critical systems; or b) tools which will be used for QA processes. I'm not sure either applies well, especially in the case of OSS. And I don't know of anything similar in finance.

[fred_durst]

> Given enough eyeballs, all bugs are shallow.

Tell that to OpenSSL.

[starkness]

Or tell that to Linus Torvalds, as it's his law.