Every week there's a new vulnerability in the Linux kernel - is it time to admit that (A) the "many eyes" theory is disproven (B) the Linux kernel has evil malware agents "oopsing" bugs in exactly as fast as we discover them?
The way I see it, all those vulnerabilities prove the opposite. If there were no "many eyes", I doubt most of those vulnerabilities would have been exposed to the public at all. But I bet that malicious actors would still be using those.
That argument you made reads similar to "hospital theory is disproven, because whenever we get more hospitals and doctors, more people end up with a diagnosis".
The "many eyes" theory includes the phrase "all bugs are shallow", which to me certainly implies that they shouldn't lay there for 10+ years.
The only conclusion people should be drawing from the last 20 years of security being taken seriously is that writing secure software is hard, finding bugs is hard, and business model doesn't really matter.
The maxim doesn't state an exact eyeballs-to-bugs ratio, nor does it state a timeframe in which the bugs actually become shallow.
It's quite possible that for 10 years, the number of eyeballs had not been enough, until it was. The open source model makes it more likely to gather more code reviews.
I hope you and the grandparent get your horses into rehab once you finish your ride. ;-)
So your argument is either that Linux didn't have many eyes on it, or that it taking 10 years and an intense study by Google to find it is shallow. In either case, that's effectively saying that the maxim is so loose as to be completely meaningless (i.e. "broken").
Even throwing out the fact that equivalent closed source software has a stupendous amount of money spent on code reviews, the open source model makes those reviews possible. It doesn't necessarily make them likely. That is a very important difference, theoretical eyes make no bugs shallow.
> I hope you and the grandparent get your horses into rehab once you finish your ride
Please refrain from making condescending, smug comments like this here. They do not in any way contribute to the debate.
> Please refrain from making condescending, smug comments like this here. They do not in any way contribute to the debate.
HN today (over the course of previous weeks) is very quick with broad-swipe sensationalist statements, at least this is the sentiment I'm getting:
— The law of enough eyeballs is disproved by a decade-old bug!
— Sleep deprivation is used for some depression cases, therefore, let's banish sleep and crank all-nighters!
— SOLID is obsolete and debunked, and moreover, the old boomer Robert Martin defends it, so let's banish SOLID!
Repeat ad nauseam about any "mainstream" viewpoint or paradigm. It's getting old very quickly. Thus my abrasive passage that you quoted.
I'd like to see instead a more elaborate discussion about limitations of this observation (about eyeballs and bugs) which has proved itself quite more than once, rather than a sweeping statement. Right now the thread reads like a call to abolish all Newtonian mechanics and using relativistic calculations for everything, just because Newtonian physics got "debunked".
I'd argue that maybe a codebase can grow so much that no number of human eyeballs, even using eyeball enhancers like fuzzing and analysis tools similar to Coverity or PVS Studio, will ever bring all the bugs to the surface (and of course there can be design flaws undetectable with tools). And maybe realizing this should alter the way we design complex systems that should be as bug-free as it gets.
The bug was found by fuzzing, so not really the case that anyone reads the code. I'm pretty sure code reviewers are a lot slacker now than in 1995. There's just so much code, and so often the costly things are in bad thinking that leads to unmaintainable messes not bad security.
This comment is clearly bait, but I'm going to take it anyway and respond with a link to Microsoft's Security Response Center. This isn't exclusive to Linux at all (for better or worse) https://msrc-blog.microsoft.com/
Would be nice if we could judge Linux on it's own merits, without comparing it to Microsoft Windows. "Your Ferrari only goes 30mph? Well it's still better than this lawnmower. Stop complaining."
If Linux is a Ferrari and the dominant commercial operating system on earth is a lawnmower, there's no metric by which Linux is failing other than grass-cutting.
IMO, the quip about "many eyes" never was true, but you know, that doesn't invalidate open source or anything, it just means that Linus said a thing that sounds cool to a magazine and it was just hot air. That saying, was.
