Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are All Bugs Shallow? Questioning Linus's Law

Posted by kdawson on from the defending-a-shibboleth dept.

root777 writes to point out a provocative blog piece by a Microsoft program manager, questioning one of the almost unquestioned tenets of open source development: that given enough eyeballs, all bugs are shallow. Are they? Shawn Hernan looks at DARPA's Sardonix experiment and the Coverity static-analysis bug discovery program in open source projects to conclude that perhaps not enough eyeballs are in evidence. Is he wrong? Why? "Most members of the periphery [those outside the core developer group] do not have the necessary debugging skills ... the vast numbers of 'eyeballs' apparently do not exist. ... [C]ode review is hardly all that makes software more secure. Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."

3 of 596 comments (clear)

  1. Re:Bugs are an error in the... by Demonoid-Penguin · · Score: 5, Informative

    Bugs are an error in the process, not the code. If you find a bug, you need to find the process error that allowed that bug to occur.

    Agreed!

    I read, with interest, the referenced article. I was expecting FUD - but I didn't find much, until I reached the Conclusion.

    eg.

    The many eyeballs argument is neat, tidy, compelling, and wrong.

    The article starts with

    Eric S. Raymond wrote , “Given enough eyeballs, all bugs are shallow.” He calls this Linus’ law.

    and then attempts to refute. Fair enough. Except - the link leads to The Cathedral And The Bazaar - where I cannot find the quote... Hmmm

    Now this might be relevant if the "many eyes" routine was the only form of audit used in GNU/Linux - but is not the only form of review/audit used. I'm sure other, more knowledgable posters will be able to provide more evidence than I could find in a quick search.

    I call FUD

  2. Re:Bugs are an error in the... by BikeHelmet · · Score: 4, Informative

    A ridiculous amount of the linux kernel code is written by programmers paid by IBM, Intel, RedHat, etc.

    Someone pays. I'm just glad it isn't me.

  3. Re:Perfect code may not be perfect.. by Alioth · · Score: 4, Informative

    Sorry, that's totally wrong. The Airbus FBW systems do allow reversion back to "just do what the damn human says". However, in the situation that aircraft was in, if it were a 1972 manufactured Boeing 747 with the same fault (no airspeed indication, inside a storm, in a flight regime where stall speed and maximum mach number are very close together) it is likely that the end result would have been the same.

    Incidentally, how the A320 allows human handling of exception was very well demonstrated by the United flight that ended up in the Hudson - in which no lives were lost despite a very difficult situation.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows