Comment Re:Not enough eyes (Score 1) 582
So, the "with many eyes all bugs are shallow" notion fails. There were not enough eyes on the OpenSSL library, which is why nobody discovered the bug.
I think that's a lie, the truth is everybody thought there were so many eyes on the code they all glazed over and nobody really looked. After all, if this was my company and the line was "Well everybody who works here has access to the source repository so I'm sure that someone would find it..." there'd be plenty alarm bells going off in my head. For sure, bumping into buggy code is often the way you find out about bugs but for security critical code it's review, more review, audits, all that really boring red tape that counts to stop it getting through in the first place. If the rumors are true, the NSA caught on pretty quick which is because they have lots of smart people getting paid well to look for exactly these kinds of issues. This is not magic. But it's the kind of boring shit you usually have to pay people to get done.
Except for corporate sponsored positions - which also typically have their own agendas - the work that gets done is the work people feel like doing. If what you need is 50% development, 50% review but 90% of what the people involved are interested in is the development of their own pet features well you don't have any authority to boss people around. You can ask the reviewers to be a bottleneck which will quickly turn sour, you can ask them to rubber stamp it faster or you can add people who really shouldn't be reviewers but you can't hire more qualified reviewers. Waiting a few years for someone to stumble into it just isn't a good process, no matter how much people pretend this proves how OSS "works".