Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are All Bugs Shallow? Questioning Linus's Law

Posted by kdawson on from the defending-a-shibboleth dept.

root777 writes to point out a provocative blog piece by a Microsoft program manager, questioning one of the almost unquestioned tenets of open source development: that given enough eyeballs, all bugs are shallow. Are they? Shawn Hernan looks at DARPA's Sardonix experiment and the Coverity static-analysis bug discovery program in open source projects to conclude that perhaps not enough eyeballs are in evidence. Is he wrong? Why? "Most members of the periphery [those outside the core developer group] do not have the necessary debugging skills ... the vast numbers of 'eyeballs' apparently do not exist. ... [C]ode review is hardly all that makes software more secure. Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."

2 of 596 comments (clear)

  1. Re:Bugs are an error in the... by 1s44c · · Score: 0, Troll

    And that got modded insightful? Who gave the MS astroturfers mod points?

    None of this is a matter of morality, it's a simple matter that more people reading, and understanding, code makes for better code with less bugs.

    Anyone can spend a lot of time reading the linux code and get to understand it, very few people can see microsoft's code.

  2. Re:Choose freedom, not some $attribute by Blakey+Rat · · Score: 1, Troll

    Is that because of an inherently superior product, or because manufacturers work with Microsoft so that the ACPI settings work perfectly with Windows, yet they ignore everyone else?

    As an end-user, I can confidently say: I do not give a shit.

    You shouldn't use sleep and suspend anyway, just shut the damn thing down.

    Yeah, well, Linux also takes longer to start up after it's been shut down. :)

    But more seriously, if I'm on a train, and I close the lid to walk 10 minutes to work where I open the lid again, I should do a *full shutdown*? For 10 minutes?

    --
    Comment of the year