Are All Bugs Shallow? Questioning Linus's Law
root777 writes to point out a provocative blog piece by a Microsoft program manager, questioning one of the almost unquestioned tenets of open source development: that given enough eyeballs, all bugs are shallow. Are they? Shawn Hernan looks at DARPA's Sardonix experiment and the Coverity static-analysis bug discovery program in open source projects to conclude that perhaps not enough eyeballs are in evidence. Is he wrong? Why? "Most members of the periphery [those outside the core developer group] do not have the necessary debugging skills ... the vast numbers of 'eyeballs' apparently do not exist. ... [C]ode review is hardly all that makes software more secure. Getting software right is very, very difficult. ... Code review alone is not sufficient. Testing is not sufficient. Tools are not sufficient. Features are not sufficient. None of the things we do in isolation are sufficient. To get software truly correct, especially to get it secure, you have to address all phases of the software development lifecycle, and integrate security into the day-to-day activities."
While I think there is a bit of merit to this, it certainly doesn't hurt to have more eyes possible - especially when you don't have to pay for them.
It sure as fuck DOES hurt to have too many eyes.
Too many cooks spoil the broth.
Too many coders will fork your project.
And fuck no, not all bugs are "shallow".
Most bugs you get in open source development are, sure, because you've got tons of people contributing, for free, in their spare time.
Those minor mistakes get through initial submission and eventually get caught.
Many bugs are the exact opposite of shallow - extremely difficult to replicate, isolate, understand, and resolve.
These bugs are typically hardware-related. There's a reason we pay the big boys the big bucks to make drivers and firmware - they need to know what's going on with the bare metal. Running software on top of that isn't necessarily less complex, but debugging it sure as fuck it.
Consider for example the sheer breadth of hardware support offered by MS - both third party drivers, first party drivers, and generic first party drivers for when the third parties can't get their shit together. This is where most bugs a user will ever see come from.
When a bug in your Linux distro pops up, it's not a bug, it's because your hardware isn't fully supported yet.
When a bug in Windows pops up, Bill Gates is a fucking tool and should kneel before Linus.
This mentality is ridiculous, and calling bugs "shallow" is an obvious slight at MS and other companies - "WOW MS couldn't fix this simple bug? Their billions of dollars is no match for the power of OSS! Now how are things going on copying the new Windows 7 interface?"
And that got modded insightful? Who gave the MS astroturfers mod points?
None of this is a matter of morality, it's a simple matter that more people reading, and understanding, code makes for better code with less bugs.
Anyone can spend a lot of time reading the linux code and get to understand it, very few people can see microsoft's code.
Is that because of an inherently superior product, or because manufacturers work with Microsoft so that the ACPI settings work perfectly with Windows, yet they ignore everyone else?
As an end-user, I can confidently say: I do not give a shit.
You shouldn't use sleep and suspend anyway, just shut the damn thing down.
Yeah, well, Linux also takes longer to start up after it's been shut down. :)
But more seriously, if I'm on a train, and I close the lid to walk 10 minutes to work where I open the lid again, I should do a *full shutdown*? For 10 minutes?
Comment of the year