Slashdot Mirror


Are All Bugs Shallow? Questioning Linus's Law

root777 writes to point out a provocative blog piece by a Microsoft program manager, questioning one of the almost unquestioned tenets of open source development: that given enough eyeballs, all bugs are shallow. Are they? Shawn Hernan looks at DARPA's Sardonix experiment and the Coverity static-analysis bug discovery program in open source projects to conclude that perhaps not enough eyeballs are in evidence. Is he wrong? Why? "Most members of the periphery [those outside the core developer group] do not have the necessary debugging skills ... the vast numbers of 'eyeballs' apparently do not exist. ... [C]ode review is hardly all that makes software more secure. Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."

8 of 596 comments (clear)

  1. Re:Yeah, right.... by iserlohn · · Score: 2, Funny

    "The proof of the pudding is in the eating", or as in the case of Microsoft, "the proof of the FUDding is in the beating"...

  2. Why do we take M$ punditry seriously? by haruchai · · Score: 5, Funny

    Let me rephrase this for him -

    "For 25 years, we deliberately chose to ignore the bitter lessons that were learned by the big vendors, to take shortcuts
    to ship shit software first and fix it later and to build up massive layers of cruft in the name of backward compatibility. Now we are caught in a nice pickle
    as we've spent years trying fill the leaks in our crap - some of which is so insecure that, 8 years after the launch, we still have record numbers of bugs in
    Windows XP almost every fucking Patch Tuesday -and restructure it into something rock solid.
    However, until we can get this done, we need to play smoke and mirrors, convince you to toss Win XP - and your old PC, most likely, buy our latest
    and greatest and spit out evermore FUD about how nobody else can get stuff done except us.

    Ladies and gentlemen, I give you the M$ business plan and I'm pleased to say that it's working as well as ever and thank you all"

    --
    Pain is merely failure leaving the body
  3. Re:Silent L by deniable · · Score: 3, Funny

    I get it, ULSER. Good one. They cause me that sort of stress too.

  4. Re:Yes. Yes, they are. by harlows_monkeys · · Score: 2, Funny

    Any technological endeavor human beings work towards will always be subject to "more eyeballs means improvement".

    So that's why the more people there are on the committee that designed a language or protocol, the better the result. I'd always wondered about that.

  5. Re:more shallow than Windows by Demonoid-Penguin · · Score: 2, Funny

    Yes, but thanks to proprietary software, none of those bugs will be fixed, only found and exploited.

    Didn't you read the referenced article? Microsoft has a superior, um, thingie - and so there are no bugs to be found. And if you disagree they will crank up their Aesopian ghostwriting dept and prove you wrong. (probably with a backing soundtrack of screaming rabbits and crying babies).

    Having said that - where's my FanBoi(TM) t-shirt?

  6. Re:more shallow than Windows by Interoperable · · Score: 3, Funny

    Presumably Microsoft employees do look at the source code but some days I have my doubts. (I'm kidding of course)

    --
    So if this is the future...where's my jet pack?
  7. Re:Bugs are an error in the... by __aasqbs9791 · · Score: 4, Funny

    ...A perfect program that is never written isn't very useful.

    It is, however, bug-free!

  8. Re:To get software truly correct... by rasputin465 · · Score: 2, Funny

    I had the exact same thought. "Getting software right is very, very difficult" ... "trust us, we know; we still haven't figure out how to get it right".