Comment by colinsane
2 years ago
> what's interesting isn't true ("Linus's law" being perhaps the most notorious example)
> Even the high-level organizing notion of "cathedrals" and "bazaars", which should have been a lay-up, hasn't really proven out.
you and i live oceans apart. a year of working around NixOS and especially linux on mobile phones has me working in very bazaar-like systems — where every component is swappable/composable — and seeing/using Linus’ law daily — in that people from out of the blue will patch things i’d been unable to figure out and when i hit edge cases that look familiar enough in any software i install i will debug it & send fixes upstream.
i’m well aware the above is niche. on the other hand i’m fairly confident that niche would be inaccessible to most of us who are otherwise participating in it were it not leveraging these two concepts.
We do. As a vulnerability researcher, my take on "Linus's law" (which, like "Gell-mann Amnesia" isn't the product of the famous person it's named for) --- "given enough eyeballs, all bugs are shallow" --- is that has been effectively refuted by the recurrent discovery of grave vulnerabilities that have hidden in plain sight, sometimes for over a decade, and with the success of commercial vulnerability research work in eradicating those vulnerabilities.
I don't think "bugs are shallow", or the "many eyeballs" section of this essay, are particularly talking about _discovering_ bugs.
The author seems to have had a worldview in which bugs don't really matter if people aren't coming across them, and in which the difficult part of dealing with a bug is either reproducing it or getting from a symptom to a cause.
If you were in a world where those two things are true then I think he's probably right that "many eyeballs" would help a great deal.
It's not interesting to say that lots of interesting eyeballs are helpful. Anybody would have said that prior to this article's publication. Raymond makes a much stronger claim (which is why it has the force of "law"), and it hasn't borne out.
19 replies →
> The author seems to have had a worldview in which bugs don't really matter
That would explain so much… https://gitlab.com/esr/gif2png/-/commit/a8a761561b2a071e7452...
1 reply →
"My favorite part of the "many eyes" argument is how few bugs were found by the two eyes of Eric (the originator of the statement). All the many eyes are apparently attached to a lot of hands that type lots of words about many eyes, and never actually audit code." -Theo De Raadt
>> you and i live oceans apart.
> We do.
which, just to clarify, i didn’t mean as “one of us contradicts the other” but that “we experience different slices of life which are guided by different priorities”. i very much wouldn’t want to be a security researcher in the open source areas i occupy now. likewise i wouldn’t want to use the development practices i experience in community open source were i instead building a fighter jet.
looking at the bizarre overlap between “open source contributors who like {Nix,Haskell/FP,Rust}” and “people i know who work for defense contractors” though, i’m actually optimistic that our distance could shrink in time.
None of the significant security vulnerabilities that I can remember have been "deep" - subtle things that require extensive familiarity with the specific codebase and could never have been found by a drive-by contributor, which is the idea that ESR is refuting. Debian keygen bug? Dumb one-liner. Heartbleed? Dumb one-liner. Goto fail? Technically a logic bug, but a two-line thing that could be understood by reading that one file without any additional context.
I've seen cases where exploitation was complex, but even then, that tends to be because the full exploit is chaining together several bugs, each of which is individually simple and could be fixed by a drive-by contributor.
If that was the intended meaning of "shallow", why does the number of eyeballs matter? I think the more obvious interpretation is "quickly discovered".
17 replies →
Spectre, Meltdown and Rowhammer were all discovered in the same timeframe as the things you listed, and were decidedly more complex than dumb one liners. Yes, those are all have a hardware component (and thus the "fixes" are software workarounds), but the fixes involved way more than one or two lines of work.
10 replies →
It seems possible that some better eyeballs (possibly automated ones) have been developed and deployed en masse.