by Anonymous Coward writes:
on Friday January 26, 2018 @01:07PM (#56008321)
The reason why is a familiar refrain: more eyeballs mean more secure code.
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who put security first and foremost.
You could have two million "eyeballs" of offshore "programmers" in India looking at some code, and it will likely still end up being much less secure than code doing the same work but written by a couple of OpenBSD's developers.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
"he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched."
This does not speak highly of the quality of the people working on the code.
Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.
van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.
It's not the quality of people but perhaps how much they are being paid. The difference between Linux and the BSDs is that there are many more paid developers working on the Linux kernel than the BSDs.
Everybody has to find a way to put groceries on the table.
The BSDs work on the principle that you can shoot into your foot if you so desire. That's why you get a stern warning if you enable the troves of security holes (aka known as compat-X). Not to mention that to sum up all the security holes before comparing them to the Linux side was a little bit disappointing. You have to compare each flavour of BSD to Linux.
Yes there are lots of holes left and they will stay until someone really needs an old version secured. There is a reason LINT is called lint. If you don
Why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
It's important to not that if there weren't eyeballs on the code we would never have known about the vulnerabilities to fix to begin with.
They would have only been discovered and exploited by the malicious and never disclosed unless the attack was discovered while the company responsible would spin the issue and would ( in most cases ) not spend the money to secure other installations.
Because flaws cannot be hidden, overlooked or covered up, researchers and other interested parties can perform their own independent audit of the software powering their systems.
-- More eyeballs does in fact mean more secure code. -- Think of it as a global oversight committee.
Once you do that, you'll learn that it was present in bash back in 1989.
When it was finally publicly announced in 2014, the bug had been present for around 25 years!
We aren't talking about an obscure piece of software here, either. Bash is probably among the most widely available and used open source software projects out there, and has been like this for a long time.
Brag about your "global oversight committee" all you want. It's clear that all
Skill of the people, times number of skilled people. Duh.
Dear Americans, please take a look at yourselves, and how you always fall for the binary thinking. Because as an outsider, it's very obvious and very obvious that this is harming you. Whenever something like this arises, expand from (X XOR Y) to [X, Y, X&Y, null, unknown]. Then expand it from discrete to continuous, so that there's a gradient between all of it. With every value blurred into a Gaussian distribution or wavelet. After that, expand from t
by Anonymous Coward writes:
on Friday January 26, 2018 @02:14PM (#56009035)
That comment is neither interesting nor insightful. It's just pushing the age old misrepresentation of the quote.
Many eyeballs makes all bugs shallow does not - and have never - meant that there will be no bugs, or that they will not lie dormant for a potentially long time. It simply refers to the fact the the more eyes that see a bug, the quicker someone will come up with a fix. Exactly what these researchers are claiming.
The OpenBSD project proves that security doesn't come from "more eyeballs".
I'm sorry, that you didn't RTFA is pretty damned obvious, but did you even read the blurb? There is no such "proof". Rather, they proved the opposite.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Again, a half-truth. Yes, it's true, but the more people who are involved in a project, the greater the probability that your "good people" turn out to be really good. And the more people you have, the more people you have to fix mundane stuff which doesn't require "really good people" to fix - which frees up your "really good people" to deal with the hairy stuff, and the more eyeballs you have who might for some reason find bugs which needs the attention of the "really good people".
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Did you read the article? Theo De Raadt says as much:
Theo De Raadt, the founder of OpenBSD, agreed with van Sprundel that more eyeballs on OpenBSD would make the operating system more secure. "I remember reading his first slides, which were mostly about the impact of small API misuses," De Raadt tells CSO Online by email. "Unfortunately, this is a problem of the volume of code relative to manpower. Ensuring all code is 100 percent bug-free and handles all exceptional conditions is a rather difficult problem."
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
People keep repeating the law incorrectly. Linus' Law states that "with many eyeballs, all bugs are shallow", it doesn't say anything about secure code.
This is what happens when we complain too much about the quality of recent posts. They dig up some "BSD is dying" article to try and make us feel all warm and fuzzy from the nostalgia.
I just tune in regularly too watch chest-puffing IT chimps get hot under the collar over some mentally-masturbatory irrelevant issue, like whether the iPad is a "computer."
'Scuse me while I pop some more corn and crack another beer!
How many PS4 being produced? Does it have some BSD bits underneath?
BSD will never die due to licence:) You cant say say the same about the redish communist GPL:)
Postpone for 10 years the reply. When you reply add the GPS coordinates of BSD grave:)
Don't worry, the Free BSD community has faced hardships and relied on near zero help from the other groups and companies that have used or taken from FreeBSD.
FYI on an unrelated matter, from a previous discussion, SpaceX is now *tentatively* launching Falcon Heavy on Feb 6th or 7th, which is a couple days ahead of Hamcation. So you may have to make your way out there a few days early.
I usually plan to spend some time at KSC playing tourist, so I was already scheduled to come out on the 5th, and I now have my "Feel the Heat," tickets. That should be a pretty sensational show.
BSD is Dying? (Score:5, Funny)
I won't believe it until Netcraft confirms it!
Re:BSD is Dying? (Score:5, Funny)
Re: (Score:0)
Everybody expects the Netcraft Confirms It.
Re: (Score:0)
They make nice firewall appliances
"more eyeballs mean more secure code"?! (Score:5, Insightful)
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who put security first and foremost.
You could have two million "eyeballs" of offshore "programmers" in India looking at some code, and it will likely still end up being much less secure than code doing the same work but written by a couple of OpenBSD's developers.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Re: (Score:1)
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
"he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched."
This does not speak highly of the quality of the people working on the code.
Re: "more eyeballs mean more secure code"?! (Score:3, Interesting)
Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.
Re: (Score:3, Informative)
van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.
Re: (Score:0)
Wow, nice response. Did you used to work for the Department of Inquisition in Spain by any chance? Do you often show up to places unexpectedly?
Re: (Score:2)
It's not the quality of people but perhaps how much they are being paid. The difference between Linux and the BSDs is that there are many more paid developers working on the Linux kernel than the BSDs.
Everybody has to find a way to put groceries on the table.
Re: (Score:3)
I am fine on groceries. I want code that is reliable and secure. I will continue using OpenBSD - but not as my dinner.
Re: (Score:0)
Oh happy day... he told the big three BSDs. What about DragonFly? What about MirBSD? What about MidnightBSD?
Re: (Score:0)
> Oh happy day... he told the big three BSDs. What about DragonFly?
It's mostly FreeBSD code.
> What about MirBSD?
Mostly OpenBSD code...
> What about MidnightBSD?
Mostly FreeBSD code.
Re: (Score:0)
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
I'd argue it comes from both. Ignore half of the equation at your peril.
Re: (Score:1)
The BSDs work on the principle that you can shoot into your foot if you so desire. That's why you get a stern warning if you enable the troves of security holes (aka known as compat-X). Not to mention that to sum up all the security holes before comparing them to the Linux side was a little bit disappointing. You have to compare each flavour of BSD to Linux.
Yes there are lots of holes left and they will stay until someone really needs an old version secured. There is a reason LINT is called lint. If you don
Re:"more eyeballs mean more secure code"?! (Score:5, Insightful)
Why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
It's important to not that if there weren't eyeballs on the code we would never have known about the vulnerabilities to fix to begin with.
They would have only been discovered and exploited by the malicious and never disclosed unless the attack was discovered while the company responsible would spin the issue and would ( in most cases ) not spend the money to secure other installations.
Because flaws cannot be hidden, overlooked or covered up, researchers and other interested parties can perform their own independent audit of the software powering their systems.
-- More eyeballs does in fact mean more secure code. -- Think of it as a global oversight committee.
Why was the Shellshock bug there for 25 years? (Score:1)
You should read up about the Shellshock bug that affected bash [wikipedia.org].
Once you do that, you'll learn that it was present in bash back in 1989.
When it was finally publicly announced in 2014, the bug had been present for around 25 years!
We aren't talking about an obscure piece of software here, either. Bash is probably among the most widely available and used open source software projects out there, and has been like this for a long time.
Brag about your "global oversight committee" all you want. It's clear that all
Re: (Score:-1)
No, you little dick, it's you who are retarded, wrong and ignorant. See the other comment.
Re: (Score:0)
You didn't spot it either, champ. Why not?
Jeez, it's BOTH. (Score:0)
Skill of the people, times number of skilled people.
Duh.
Dear Americans, please take a look at yourselves, and how you always fall for the binary thinking. Because as an outsider, it's very obvious and very obvious that this is harming you.
Whenever something like this arises, expand from (X XOR Y) to [X, Y, X&Y, null, unknown].
Then expand it from discrete to continuous, so that there's a gradient between all of it. With every value blurred into a Gaussian distribution or wavelet.
After that, expand from t
Re:"more eyeballs mean more secure code"?! (Score:5, Insightful)
That comment is neither interesting nor insightful. It's just pushing the age old misrepresentation of the quote.
Many eyeballs makes all bugs shallow does not - and have never - meant that there will be no bugs, or that they will not lie dormant for a potentially long time. It simply refers to the fact the the more eyes that see a bug, the quicker someone will come up with a fix. Exactly what these researchers are claiming.
The OpenBSD project proves that security doesn't come from "more eyeballs".
I'm sorry, that you didn't RTFA is pretty damned obvious, but did you even read the blurb? There is no such "proof". Rather, they proved the opposite.
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Again, a half-truth. Yes, it's true, but the more people who are involved in a project, the greater the probability that your "good people" turn out to be really good. And the more people you have, the more people you have to fix mundane stuff which doesn't require "really good people" to fix - which frees up your "really good people" to deal with the hairy stuff, and the more eyeballs you have who might for some reason find bugs which needs the attention of the "really good people".
Quantity is a quality of it's own.
Re:"more eyeballs mean more secure code"?! (Score:5, Informative)
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
Did you read the article? Theo De Raadt says as much:
Re: (Score:2)
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
People keep repeating the law incorrectly. Linus' Law states that "with many eyeballs, all bugs are shallow", it doesn't say anything about secure code.
Re: (Score:2)
"BSD users are fat, have fleas and spend all their time posting on kuro5hin [wikipedia.org]" as the troll goes
I don't. (Score:-1)
if you consider macOS BSD
Darwin was based on Linux.
Re: (Score:1)
> Darwin was based on Linux.
Obvious troll is obvlivious...
Re: (Score:0)
> /Ironically I'm writing this on a BSD machine, if you consider macOS BSD
It is indeed a BSD variant, containing some code that goes back to 4.4BSD.
But it is the 'black sheep' of the BSD family—it will never carry the flag of the Unix fanatics, and you won't see a Daemon mascot anywhere near it.
Re: BSD is Dying? (Score:1)
What? It's the only BSD that's actually certified Unix.
Re:BSD is Dying? (Score:5, Funny)
Re: (Score:2)
Re: (Score:0)
Dead, actually.
I just tune in regularly too watch chest-puffing IT chimps get hot under the collar over some mentally-masturbatory irrelevant issue, like whether the iPad is a "computer."
'Scuse me while I pop some more corn and crack another beer!
Re: (Score:0)
Oh, so it is Slashdot that is dying instead then, eh?
Well, actually it is. But that's not why I asked you here.
xxxooo
Linus
Re: BSD is Dying? (Score:0)
The entire fucking summary needs to be modded -1 flamebait.
Re: (Score:3)
BSD has been dying almost as long as Apple has been going out of business . . .
hawk
Re: BSD is Dying? (Score:0)
Re: (Score:2)
Re: (Score:2)
Yes, but did it make you pour hot grits down your pants?
Re: (Score:0)
Don't worry, the Free BSD community has faced hardships and relied on near zero help from the other groups and companies that have used or taken from FreeBSD.
Re:BSD is Dying? (Score:4, Funny)
Re: BSD is Dying? (Score:0)
I knew somehow Bruce was involved in this. o/
Re: (Score:2)
FYI on an unrelated matter, from a previous discussion, SpaceX is now *tentatively* launching Falcon Heavy on Feb 6th or 7th, which is a couple days ahead of Hamcation.
So you may have to make your way out there a few days early.
Re: BSD is Dying? (Score:2)
Re: (Score:1)
Funnily enough, when I worked for Netcraft a large number of their machines were running FreeBSD :)
That was over six years ago though, and we were moving more towards Linux when we left, so I wouldn't be surprised if most of those are gone now.