Comment Re:Maybe it's time... (Score 1) 477
Yeah, but how many of those eyes actually have the experience it takes to audit code for security? Writing and auditing for security (especially for operating systems) is *hard*. From "Secrets and Lies", pg. 345, by Bruce Schneier:
"First, simply publishing the code does not automatically mean that people will examine it for security flaws, and it certainly doesn't mean that experts will examine it for security flaws. Researchers found buffer overflows in MIT code for Kerberos ten years after the code was released...Second, simply publishing the code does not automatically mean that security problems are fixed promptly when found. There's no reason to believe that a two-year-old piece of open source code has fewer security flaws than a two-year-old piece of proprietary code. If the open source code has been well examined, this is likely to be true. But just because a piece of source code has been open source for several years does not, by itself, mean anything."
Great book. I highly recommend it.
"First, simply publishing the code does not automatically mean that people will examine it for security flaws, and it certainly doesn't mean that experts will examine it for security flaws. Researchers found buffer overflows in MIT code for Kerberos ten years after the code was released...Second, simply publishing the code does not automatically mean that security problems are fixed promptly when found. There's no reason to believe that a two-year-old piece of open source code has fewer security flaws than a two-year-old piece of proprietary code. If the open source code has been well examined, this is likely to be true. But just because a piece of source code has been open source for several years does not, by itself, mean anything."
Great book. I highly recommend it.
