The reason why is a familiar refrain: more eyeballs mean more secure code.
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who pu
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
"he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched."
This does not speak highly of the quality of the people working on the code.
by Anonymous Coward writes:
on Friday January 26, 2018 @01:31PM (#56008575)
Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.
van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.
Often statistics are used as a drunken man uses lampposts -- for support
rather than illumination.
BSD is Dying? (Score:5, Funny)
I won't believe it until Netcraft confirms it!
"more eyeballs mean more secure code"?! (Score:5, Insightful)
After Heartbleed and the other issues affecting OpenSSL, and Shellsheck affecting bash, why the hell would anyone still be pushing this disproven "more eyeballs" narrative?!
The OpenBSD project proves that security doesn't come from "more eyeballs". It comes from having software developers who know what they're doing, and who take their work very seriously, and who show immense discipline, and who don't put up with bullshit, and who pu
Re: (Score:1)
Code quality doesn't come from the quantity of people looking at it. Code quality comes from the quality of the people working on it.
"he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called "low-hanging fruit." He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched."
This does not speak highly of the quality of the people working on the code.
Re: "more eyeballs mean more secure code"?! (Score:3, Interesting)
Give us links to each and every one of those bug reports so we can judge the severity of these alleged bugs on our own. If the BSD devs aren't fixing them it's probably because they're very minor bugs, or perhaps aren't even valid bugs to begin with.
Re: (Score:3, Informative)
van Sprundel also praised OpenBSD's response to his bug findings, saying that De Raadt responded within a week, and OpenBSD patched the flaws within a few days.