[ale] Security and OSS

David Tomaschik david at tuxteam.com
Thu Feb 18 20:46:30 EST 2010


JK wrote:
> Many of you have probably seen this on /. already. The article
> is thought-provoking, and touches on some issues that have
> arisen on this list recently.
>
> http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx
>
> http://preview.tinyurl.com/yapyo8w
>
>
> My initial thoughts about this are:
>
> First, I've noticed a dearth of "many eyes" on the majority of OSS projects'
> code bases.  Some projects, like the Linux kernel, gather a lot of attention.
> Most, however, are limited to the scrutiny of their core developers, and
> maybe a few sometime contributors who get annoyed by specific bugs.
>
> Nonetheless, for many OSS projects the core development team constitutes a
> cadre of hard core users, since most OSS projects are run by folks who
> need the tools they are maintaining.  When a bug is noticed that affects
> that group, it's likely to be fixed very quickly.  This is unlike
> proprietary software that is being maintained by paid staff, who may not
> have any particular need for the software they are paid to work on.
>
> The bugs that get found by OSS developers probably tend to be those that
> directly affect the functionality of the software.  Security bugs often
> have no harmful effect until they are exploited, so would be less likely
> to be caught by folks fixing bugs that directly affected them.
>
> Finally, I have a vague idea that ESR's "many eyes" argument may have been
> more true in the past, when there were fewer OSS projects, and those were
> being maintained by a pool of talented developers who were spread less
> thin.  But I'm not sure about that.
>
> -- JK
>
>
>   
Not to say that bugs or security issues in any application are
insignificant, but I think what is ignored by his post is the fact that
some code is HEAVILY audited.  Say, for example, the Linux kernel,
OpenSSL, OpenSSH, GnuPG, and many other security tools are good examples. 


David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20100218/93695dbb/attachment-0001.bin 


More information about the Ale mailing list