Comment by seanhandley
7 years ago
I guess it's the principle of "many eyes make all bugs shallow".
If the source is freely available, then every day someone is going to read it and maybe see/fix the bug.
You can't know what bugs are in code for which you do not have the source, and the pool of people reading it is likely to be much smaller.
>If the source is freely available, then every day someone is going to read it and maybe see/fix the bug.
How many years did Heartbleed go unnoticed? How many exploits in open source software get reported here?
It's not true that someone reads all of the open source code every day. The truth is, few people ever read any of it, and fewer still have the domain expertise necessary to be able to spot and patch any obvious bug, much less subtle ones. And yet this metaphysical belief in the "many eyes" persists.
Sure, it exists, but there are supposed to be eyes on the proprietary code as well, and the effect is probably smaller than people think, with no one outside of a project's maintainers ever actually studying the code for most open source projects.
I'd like to add one thing to this: Heartbleed also went unnoticed because the OpenSSL code ad build process was in such a state that simply looking at it, and having to build it costs an insane amount of effort.
So if you truly want to benefit from open source firmware, it needs to also come in at least some minimal form of quality. Things such as good build documentation, automated builds in CI, and also low requirements for setting up development builds are a thing often not present in software all of us deem critical.
It is much more intriguing to contribute to a project, use it and submit improvements when the entrance barriers are low.