[stormbrew]

Or 2014 should be the year that it's confirmed that open sourcing something can lead to people finding bugs in it. It's kind of bizarre to me that people finding bugs in open source software and being able to both patch it and release patches of it themselves indicates a failure of open source. It's not as if the closed source security software of the world fared any better this year, and I'd still rather be able to get a patch from Debian right away than wait for Microsoft to get off their ass and release one.

On a practical level there are clearly limits to the many eyeballs hypothesis. Particularly if your assumptions about it were based on the idea that every user is an 'eyeball'. It's obvious there isn't a linear relationship between the two. None of that means it isn't still better than the alternative.

[wglb]

It's kind of bizarre to me that people finding bugs in open source software and being able to both patch it and release patches of it themselves indicates a failure of open source.

The claim is not that it is a failure of open source, but that is a failure in the "many eyeballs" claim.

Looking at two fairly famous bug hunters, Juliano Rizzo and Thai Duong finding POET, BEAST and CRIME, didn't require open source to find these bugs. BEAST was identified in 2002, but wasn't taken seriously.

Not having source is not much of a speed bump for a bug finder.

This "many eyeballs" is giving us all a false sense of security.

[eps]

> This "many eyeballs" is giving us all a false sense of security.

Precisely!

This issue is further amplified by the fact that lots of people believe that "open source" means "trustworthy". If someone opens up their code, they must be good guys. This assumption is very easy to exploit. All a bad player needs to do is to distribute both the source and the binaries, but build latter from an alternative source. Just look how long it took for someone to actually try and verify that TrueCrypt binaries were in fact built from the source supplied. And that's for a security product with a massive installation base.

[stormbrew]

"Bugs can be found in closed source software" and "code will be seen by a wider variety of programmers if the source is open" are not contradictory statements. This is a false dilemma.

I agree there is an element of false sense of security, but I fail to see how the answer to that is to actively encourage our security software to be closed source.

[click170]

> Not having source is not much of a speed bump for a bug finder.

As someone who has found bugs in software thanks to having access to the source code, I call bullshit on this. I likely would not have been able to identify the bug myself without access to the source.

It is true that you can find bugs in closed source software, but it sure as hell is a lot easier when we have access to the source.

(I'm aware that code doesn't have to be Open Source for me to have access to it, but I feel that's splitting hairs.)