I repeat, legal oppression only exists because of government. If you cannot see that simple truth, you are wilfully blind.

Primogeniture and entailment were government laws which enforced class distinctions and warfare -- withotu government creation and enforcement of classes, there would be no class oppression and warfare.

Government laws prevented women from owning property, voting, or having much freedom at all, and made marriage rape legal.

Slavery and segregation were the direct result of government laws. Society was integrating on its own until government stopped it and reversed course.

It's very simple: government creates laws to justify its oppression. You claim to get your history from the People's History. It's not much of a history if that single lesson doesn't come through loud and clear.

People care about people. Governments do not. Any one who thinks the government is his friend is either a crony or a fool, possibly both. Governments' mission is to compel or prohibit; their core competence is coercion in the name of the status quo.

Before government made black self-defense illegal and enforced bigotry with government guns, blacks at least had a chance. Society was at least slowly intergrating even in the face of government sanctioned lynching, before government stepped in officially and made it illegal, backed by government guns and jails. The US Post office and military were more integrated than most people realize, until Woodrow Wilson came along and enforced segregation. That Louisian railroad was just one of many companies who integrated in pursuit of the amlighty dollar, until governments came along and stopped them with government guns and jail.

Progressives are an ignorant whiny lot, like all statists. All power to the government! The people, not so much.

BULLSHIT. Slavery and Jim Crow were both the RESULT of government laws. Neither can exist in the absence of government. Jim Crow in particular owes its existence to a Louiana law requiring a railroad to segregate its railroad cars against its own wishes, said law being approved by the US Supreme Court.

You need to learn a lot of history before opening your yap next time.

True, most of my experience is with companies 10k, but you're just being arrogant calling that "really small". Almost all of those companies are part of a larger corporation, and you don't manage IT operating activities in multinational corporations on the corporate level. The corporate level decides if you go with SAP or Oracle, but not which patch level of Apache is used on the website of one of 20 subsidiaries.

At least that's the way it was in my last two companies (one a subsidiary of a 65k employee corporation, one part of a 30k employee corporation). If you know of any multinational corporations where the CTO of the top-level holding has to sign off on patch deployment, let me know.

We're talking operative emergency response here, not rollout of new corporate IT infrastructures. I hope you see the difference.

You're cute. I've done this shit for a living for a while. Yes, many companies' incidence response procedures are crap, but they shouldn't, and it is perfectly possible to get an emergency countermeasure deployed within 24 hours with all the t's crossed and i's dotted and perfect SOX compliance and whatever else you need. It's just something you need to think about before the emergency hits you.

Of course everything else is never equal.

But what are you trying to accomplish here? Argue that a project with 100 developers has more eyes on the code than one with 4? Moot point, no argument.

We don't get the luxury of having 50 identical software projects with different team sizes and a size control, so we have to go with the real world and "everything else being equal" is just a way of saying that you if you want to compare closed vs. open source, you need to compare comparable projects, not an open source project with a handful of people with a closed source project two orders of magnitude larger - or the other way around.

There's a difference?

sysadmin, firewall admin - let's not pick nits here. The point is that there are mitigating measures, and if signing off on something that prevents your company secrets leaking out to the Internet without you even noticing takes more than 24 hours then your incident response procedures are retarded and you can hire me for a workshop to improve them dramatically.

Yeah, there was absolutely nothing anyone could do. Oh wait, except for this brutally complex and technically challenging thing right from the official vulnerability announcement:

That was definitely not a feasabole option for anyone on the planet...

You are right on those.

Except for the "nothing can be done" part. That's not your judgement call to make. There is always at least one option - pulling the power plug - and it might well be a feasable temporary solution for some people affected.

Absolutely.

But we were talking about mitigating measures. That is almost never patch and recompile, it's things like turning off a service, changing the firewall rules, moving servers into a different network - things that are very much within the duties of the sysadmin (with proper clearance and risk acceptance by management, etc. etc.)

Basically, if you have a bug that makes your internal network open to the world, but you can avoid it by disabling feature X in the config file, and your company doesn't require feature X, then that's something the sysadmin can do, and he can do it right now, while the vendor is working on a patch.

I agree on that 100%

That depends a lot on the particular problem. In many cases, there are mitigating measures that can be taken until a patch is available, and I'd argue strongly that the people affected should make the call on that, not you or I or anyone else.

By withholding information, you are making decisions for other people. But you are not in a position to make that call, because you are not the one who suffers the consequences.

I advocate for giving everyone all the information so they all can act according to their needs and abilities. I argue for letting people make their own decisions.

See other reply.

Yes, of course, a closed source development that does external code reviews can have more eyes on the project then an open source development that does no external code reviews. But then you're comparing apples and oranges.

I didn't see it's the thousands of eyes that fanatics claim.

I'm simply saying that if your source code is open, your number of eyes on the project is (dev team) + (people looking at it) while for a closed source project the number is (dev team).

Since "people" cannot be negative, by necessity (dev team) + (other people) >= (dev team)

It doesn't.

It does guarantee that the number of reviewers is equal to or higher, provided everything else is equal.

Yes, this argument is being made a million times and it doesn't prove anything because it rests on so many assumptions that may or may not be true that it's total truth value is about as good as tossing a coin.

The two most important:

First, you assume that the official patch is the only thing that can be done. In many, many cases there are other (temporary) measures that can be taken to mitigate a problem or limit its impact. Who are you to decide for everyone on the planet with their different needs and scenarios which is better?

Second, you assume that there are thousands of hackers who didn't know about it. Yes, it is likely that the number of bad guys knowing about the problem was less than 100% before the announcement. But any real professional doesn't care about number of hackers, he cares about risk, which is number multiplied by impact. If the people who are the worst danger to my business and are most likely to target me already have the exploit, I don't give a fuck about a thousand random script kiddies also getting it.