The title of this article is a quote from Eric Raymond in his book The Cathedral and the Bazaar, and it is considered one of the main mantras of open source. Since then, Linus's law (that's what Eric calls it) has come under all sorts of attacks, especially what is a fallacy because the visibility of an error is independent of the number of eyes looking at the code, among other reasons.
When a week ago the bug mess jumped heartbleed of OpenSSL (open source project) and its impact, a few (for example this apple user) were quick to criticize the mantra and those who defend it. If it is discovered one more goto fail In the iOS code, we go around saying "hahaha, take that one." But if it is discovered a bug in GnuTLS that went 10 years without being discoveredWe say "at least we have it fixed."
So Eric wrote a post to make things clear. Linus's law is still in force as long as before.
Eric says critics make the mistake of overemphasizing the bug they can see, and not emphasizing the high probability that a security flaw they can't see in equivalent closed software is worse but undiscovered. When he says "with many glances", he is not referring to the number of people auditing but the diversity of assumptions. A few people who think differently can be better auditors than an army that has a blind zone in common.
In the last few months I have learned a few things about the density of security flaws in proprietary firmwares on internet routers for residences and small businesses, which would curl their hair… .. Friends don't let their friends run factory firmware. You don't want to trust anything less audited than OpenWRT or one of its variants. And yet the next time a security flaw appears in one of those open source projects we will see a rerun of that old movie with another round of people squawking that open source doesn't work. Ironically this will happen precisely because the open source process DOES work, while worse bugs wander around the firmware of closed routers somewhere.
And the same example applies to Heartbleed. What is the defect history of proprietary SSL / TLS blobs? It is not known. The manufacturers say nothing. And nothing can be said about the quality of your code because it cannot be audited. The speed when sending arrangements also stands out. Already on linux systems there is a fix for Heartbleed. In proprietary systems the fix can take much longer. And that's because many of the closed software business models require upgrades to be an expensive, high-friction process, covered in approval requirements, fees, and legal restrictions. Here in open source an arrangement can arrive in minutes because nobody tries to earn an income with it.
Yo, I've just changed my passwords on a few sites (only those that support https) besides giving him a monetary hand. They really deserve it.
That is why it is not convenient to be a «fan of an exclusive Operating System» all systems have their flaws
the only thing that changes is the philosophy of how to deal with problems
http://i.imgur.com/UOFAbqy.jpg
I loved the image, what a pity that the comments cannot be voted
They could put DIsqus as a comment system.
The bad thing about Disqus is that its user management system is really poor, plus you cannot monitor the comments from which email they use or from which IP's the comments come.
There is a bug in the image: in GNU / Linux updates, the good thing is that the updates, in general, are not a whopping MB as is the case with Windows and Mac. Also, the Windows Update, As an update manager, it's just disappointing.
I'm the problem; the problem is we who use these devices of ingenuity without even understanding what they are and what they really do, not everyone can learn to program, but a few programmers among those who exist can make a difference.
You read the dialogue, when for the first time you loaded the GNU / Linux OS and entered your user password. "On Power and Responsibility". That's what good developers do when they make the "source code" of these devices freely available.
I feel that the OpenSSL problem is also a community problem since the code should have been better audited since it is open and I agree 100% with the opinion that an open source is safer since at least one can get to know the errors of birth of the same while the private one does not know how safe or insecure it can be.
The problem is not necessarily the OpenSSL community, the problem is actually that the community itself has not called for updating the version of said software as a top priority for all distros.
And by the way, from the 1.0.0 and 0.9.8 branch, in addition to version 1.0.1g, they have been the versions in which they were not affected by said bug.
very good article!
Luckily they updated the OpenSSL in distros like Debian GNU / Linux (by the way, very light), but in Windows, comes a FRIOLERA of 800 MB (the bad thing is that they are the same patches as always and they are never specific as those of the GNU / Linux distros).
Anyway, I thought that the bug was from the SSL itself and not from OpenSSL (if it were from AES or WPA-PSK, the story would be different).
Strongly agree, in closed systems there can be many problems of several years that we do not know and that criminals may be using to steal, and the worst thing is that when they are detected and reported they take forever to solve.
interesting
Open source or open source automatically obtains the maximum social welfare. Closed code; expression of the ability to seek self-interest benefit of a few acosta of the dependents. It makes me laugh to relate this to Adam Smith's economic idea of "the invisible hand", which I certainly consider very contradictory.