That only applied while they were busy working out the details for the embrace, extend and extinguish strategy they will use towards competing mobile operating systems
And how exactly would that work? Or is this just a case of "Microsoft is doing something therefore it must be Embrace Extend Extinguish"?
I don't understand how else it could be shocking to find a bug in a piece of software unless it didn't contain any bugs.
It's not just a bug, it's this bug. Clearly a bug this severe is a much more shocking revelation than say an issue with toolbar location persistence in libre office.
It's not as if "severe" bugs are easier to find. Why does it damage the many eyes claim? It had many eyes on it, and it eventually got found by a few of those many eyes. Nothing is *the* answer. Open source is one of many ways to *improve* the quality of code.
And it has dubious value given that this bug was committed, reviewed and accepted then extremely widely circulated despite many eyes being on it. It's not about having heaps of people look at it, it's about having a few people with the right knowledge and understanding of the system looking at it.
I think it quite clearly does improve the quality.
So what's the argument? That you have many eyes on it so this is less likely to happen than...what? Closed source software? Lower profile Open Source software? This is why it has dubious value, yes you might happen to fluke it but you're just as likely to have many eyes that completely miss it. Touting it as an advantage (even if it is in some circumstances) does it a disservice because you end up with people trusting that "it's open source so many other people are looking at it" and then you get a situation like this where it is used in literally billions of situations and the critical flaw was missed just like can happen in closed source projects. The advantage is the ability to find and fix issues yourself, not that many other people may or may not be doing it for you.
but given an arbitrary acceptable error, there are usually acceptable sample numbers and sampling strategies.
Well you need people that can fully understand a particular complex system to find the tough bugs, and you need a lot of them dedicated to it. I would say there is rarely ever enough, except maybe on the Linux kernel where the critical error rate is pretty low (though they do happen). Demonstrated by the key advantage of free/open source software being that it is easier/quicker to fix bugs in it, not that is necessarily more bug-free than proprietary software in general.
I am not aware of any claims made by anyone remotely reputable that open source software doesn't contain bugs.
I didn't say anyone did, in fact such a thing is demonstrably false so I'm not quite sure what you say that.
Even if the claim is that open source software contains fewer bugs, finding one bug does not disprove that sort of claim.
No but when a bug this severe is discovered in something so widely deployed it certainly does damage the "many eyes" claim, it has about as many eyes on it as any open source program is likely to get so clearly that isn't the answer. Having "many eyes" doesn't necessarily diminish the quality, but obviously it doesn't necessarily improve it either so saying it's better because it has "many eyes" looking over it is disingenuous at best.
Why is the open source community incapable of outdoing commercial de-facto standard apps with poor UIs?
Perhaps it's that with an application this large you really need designers that have a consistent vision for what it needs to be like and every new feature that is introduced that requires a GUI element needs to go through a design process. If you switch designers you're likely to end up with inconsistent design throughout the application. People have their own opinions about how things should be done, if you lose a developer and he/she is replaced then whether he/she refactors the area of code they are responsible for has no visible impact on the user, but if a designer does that then the effect is immediate inconsistency.
Also maybe UI designers are less inclined to work for free? So you end up with UIs designed by programmers instead, they work the way a programmer thinks they should work which is rarely how an end user thinks they should work. A similar situation occurs with documentation.
The exception to this is probably Blender, the more recent UI improvements and high quality of documentation show the high level of community (by that I include production studios and independent hobbyists and professionals) interest, support and use of the product not to mention the contributions made to it. In professional circles photographers don't use GIMP, they use Photoshop just as most use MS Office over Libre/Open Office. Blender has some real, genuine advantages over its proprietary competitors, it isn't just a me-too, fast-follower product that copies a proprietary one and that is why it is successful.
Given enough eyeballs, all bugs are shallow . --- Linux Torvalds
Actually that was Eric Raymond, and it is evident that in fact there never are enough eyeballs (at least ones that can comprehend what they are looking at). The theory is sound but in practice it is not.
My point is that nothing about this situation is any kind of failing of open source software if you had realistic expectations to begin with. There was a really bad bug that was introduced into a widely distributed piece of open source software and after a few years, some people found it and it's now getting fixed.
Of course, but it's those people that perpetuate the unrealistic expectations that have been put in their place. The fact that such people spread that nonsense is entirely the reason you have people now saying "a bug in widely used open source software?! how could that happen?!"
Because it is in an area with such a vocal group of people spouting "Impenetrable" for decades, it all of the sudden becomes quite newsworthy in a way that "yet-another-remote-code-execution-with-privilege-escalation-in-Acrobat-Reader" vulnerability doesn't.
Or maybe because - unlike OpenSSL - nobody is running products like acrobat reader on their server which contains millions of usernames, passwords and the encryption keys that go with them that is vulnerable to this bug.
It is also common to assume that when someone says "Anyone can verify open source software to be secure and non-malicious", they are saying "No one is prevented from verifying open source software", rather than "Anyone (regardless of their software engineering ability) will find every single bug in a piece of open source software."
It isn't a matter of "every single bug in a piece of open source software", this is a hugely deployed piece of open source security software and you would expect that if the "many eyes" thing were indeed true then this is exactly the place it would be demonstrated yet what we have here is one of the most widely deployed critical security bugs ever. This isn't a condemnation of open source in any way, just of the misguided vocal advocates that pad their arguments with falsehoods rather than focussing on the real advantages of open source (like the speed at which bugs like this can be patched).
If you thought that it was claimed that every piece of open source software was bug free (contingent upon being "verified" as such), I'm sorry to tell you that you were misinformed.
I know such claims have always been false and this is just more proof of it at the most prominent and non-theoretical level so I'm not quite sure what your point is. This alone didn't disprove the claim, it just added more proof (and at an extremely high visiblity) that the claim is false.
FOSS is nowhere in the conversation, btw...this has absolutely nothing to do with the fact that this was Open Source project.
Well it does show that the often-used argument that open source is better because "I can review the code to make sure it is secure and not malicious" is false, not even the biggest vendors did that before using this code.
Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?