This kind of misleading crap posted as front page news is the reason I read Slashdot less and less these days.

It's just that "Google" has become lazy shorthand for "search engine", that's all.

If they actually cared about what was being put into dairy cattle, they would do something about the steroids and other fun things used to massively increase production. This case is all about expanding government power and absolutely nothing to do with consumer safety.

They didn't have the science to know it was asbestos causing health problems 4400 years ago. We have the science now. We figured out that it was a bad thing. Using modern science, we would know if feeding beer waste to cattle is bad. Perhaps in a thousand years to they might have new science that shows eat steaks from beer waste fed cattle increases the likelihood of cancer by .00001%.

And how many people will consider beer waste handling as an important enough issue to vote out someone? None. They're going to be more interested in big ticket items like gay rights or abortion. This is how the government stealthes in an array of regulations that eventually consume our every moment.

One problem with this is that there's already a documented history of companies rejecting bug reports and not paying the bounty, and then some time later include a fix for it in their periodic updates. It's basically the same process that causes a company's "app store" to reject a submitted tool to do a particular job, and then a few months later releasing their own app that does the same thing.

I know a good number of people who've been bitten by the latter, from both MS and Apple. In the case of a bug, it's a lot harder to document that this has happened, but various software guys I know express a strong suspicion that it has been done to them.

It's widely believed that corporations don't have ethics at all, only costs and income, which would easily explain this sort of fraudulent "offers" of rewards with no intent to pay. We've heard here often from lots of people who think that this is right and proper, and that corporations should only be motivated by the bottom line.

When combined with the growing penchant for treating someone who reports a security bug as a criminal "security hacker" and prosecuting people who report bugs in software products, this should reasonably make a sensible developer reluctant to take rewards programs seriously. Given an offer which could get you thanks and some money, or could land you in jail for your efforts, and no way to know beforehand which the company will do, why would you even consider letting them know your name?

(Actually, my name has appeared in numerous companies' lists of honored contributors thanks to my bug reports and patches. But I haven't sent in security-related bug reports to many companies, only to the ones I have reasons to believe I can trust.)

>which is the fork and which the original ... is a matter of sometimes heated opinion.

I don't care too much about that. I am interested in which is better though.

Which is better?

So you're say that when I, as a (professional ;-) programmer, create a chunk of code that tests for something, you don't think I should get any credit for what it discovers, because it's the code that discovered it, not me. This pretty much shoots down the value of nearly everything I do, because like most programmers, I spend most of my time writing and running my test suites; the actual product itself usually takes only a small percent of my work time.

Maybe I'm overly arrogant, but I disagree with this. I think that whatever a chunk of code does, the credit (or blame ;-) should go to the programmer, not the code or the cpu.

By similar reasoning, we might argue that the "many eyes" never actually discover any bugs at all, because the real work is done by the brain behind the eyes, not the eyes themselves. And with computer bugs, the human brain almost never figures out the bugs; it merely writes code that does appropriate testing, providing the brain with information that it could never have figured out by itself.

This is sorta the inverse of the old saw that guns don't kill people; it's saying that the human that pulled the trigger should get no blame for a killing, because it was the bullet (or maybe the trigger mechanism) that actually did the job.

Huh? The quote is "given enough eyeballs, all bugs are shallow." That's a clear admission that open software, like all other software, contains bugs; that's why you want the many eyeballs. Any claim otherwise is a symptom of not understanding plain English. Eric's whole point was that the bugs in open software will be found and fixed faster than the bugs in other software, due to the population of interested people who will study it, looking for the bugs. Nothing in that quote implies (to anyone with reasonable understanding of English and basic logic) that open software doesn't have bugs. I expect Eric would just chuckle at the very idea of software without bugs.

(Actually, someone near him should ask him. Tell us whether he chuckles, or snickers, or just gets a sad look on his face. Or maybe he'll say "Well, there is a conjecture that bug-free software exists, but in has never been observed in the field by reliable observers." ;-)

A much more useful conclusion from this story (if you're serious about computer security) is that this bug has been found and fixed in OpenSSL, but with its proprietary competitors, we have no way of knowing what horrible exploits they may be hiding. And you'd be a dummy to think they don't have exploits; every chunk of security-related software has exploits. The meaningful question is whether they can be found and fixed by the people using the software. If not, you'd be a fool to use that software.