Quote:
Originally Posted by Andrew H.
That's kind of the open source mantra, but I'm skeptical. The Shellshock vulnerability has existed since 1992. Heartbleed was published, reviewed, accepted as a standard...and a huge weakness was not discovered for two years.
|
Yes. The idea that the code must be safe because many eyes can see it assumes that many eyes (with the education and experience to spot a bug) are actually looking. It's not a reliable assumption.
A lot of this stuff, especially in the open source world, has been around for a long time. People re-use the code because that's the smart and efficient thing to do. But do they go over it looking for bugs? Of course not, because that would deny the efficiency you were looking for by re-using the code in the first place. They put trust in the fact that it's been around for a long time, so it must be reliable - right? Not always.
Which is not an argument against using open source software, it's just facing the reality that software is a complex beast. Bugs are found by explicit testing and by using the software - hence popular software often has what might look like a disproportionately long list of bug-fixes. The true advantage of open source is not that everyone can see if there are bugs in the source, but that anyone (with the relevant skills) can fix the bugs when they are found.