Are All Bugs Shallow? Questioning Linus's Law

root777 writes to point out a provocative blog piece by a Microsoft program manager, questioning one of the almost unquestioned tenets of open source development: that given enough eyeballs, all bugs are shallow. Are they? Shawn Hernan looks at DARPA's Sardonix experiment and the Coverity static-analysis bug discovery program in open source projects to conclude that perhaps not enough eyeballs are in evidence. Is he wrong? Why? "Most members of the periphery [those outside the core developer group] do not have the necessary debugging skills ... the vast numbers of 'eyeballs' apparently do not exist. ... [C]ode review is hardly all that makes software more secure. Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."

Mods

[TapeCutter]

flamebait? - only if windows source code has achieved self awareness and is now capable of flaming.

Perfect code may not be perfect..

[3seas]

Air France went into the ocean. THERE WAS NOTHING WRONG WITH THE CODE!!!

What was in error was the philosophy the code was written by.

A philosophy that disallowed human intervention. Disallowed for human handling of exception.

A philosophy that put machine over man.

Don't bow down to the stone image of the beast of man, for this beast is error prone and the image of this beast can be no better, even in perfection of an image.

computers are made of stone, mineral, metals, etc.. and the image is of thought processes.

no need for religion in this realization.

Open source allows for human interaction in its fundamental philosophy, where we all can make or contribute to correction and refinement.

Another example of perfect code and failure was the newly installed 911 service in Atlanta, for the 1996 Olympics. A system that required an address to be entered before it would transmit the call to the field.

Were was the failure here? Failure to give the Bicentennial park an address? Or expecting all places of crime have been given an address?
There was nothing wrong with the code of the software but in the design philosophy of the software.

in other words there was no code to correct, without first realizing the philosophy the code was based on was what was in error.

Microsoft is by far, practicing a philosophy of being successful by entrapment of its customers, making people need Microsoft software.
And a large part of how it does this is by being Windows, where you can see where you want to go, but you can't get there by yourself.

That's not the way open source software works. And it is open source software pressure that gives MS motive to improve its products.

And MS is biting the hand that is keeping it from being consumer to much of a fat lazy corporate consumer entrapment marketing firm, of which it apparent wants to be.
And we have seen and continue to see legal courtroom proof of MS's intent.

Re:It needs shifting

[Eskarel]

Just as a note, nearly all google software is open source, but google does more to lock us in, categorize us, and direct us to perpetuate ourselves as good little consumters than Microsoft ever did.