|
|
Subscribe / Log in / New account

Vetting the cargo

Vetting the cargo

Posted Jun 13, 2022 13:09 UTC (Mon) by colejohnson66 (subscriber, #134046)
In reply to: Vetting the cargo by hkario
Parent article: Vetting the cargo

The "many eyes" theory is complete bogus. OpenSSL had Heartbleed in it for literal years and no one noticed.

to post comments

Vetting the cargo

Posted Jun 13, 2022 13:22 UTC (Mon) by Wol (subscriber, #4433) [Link]

"Many eyes makes bugs shallow".

Which is true. It's extremely easy to look straight through something you're not expecting to see, many eyes on their own are useless. Note also the "makes bugs shallow". It doesn't say it makes them easy to notice. It *does* mean that once you know there is a bug, it's not going to be able to hide for long.

Which has been borne out many times. What is the expected life-time of a bug once it's been spotted? Hours? Certainly not much more.

(But then, of course, in addition to the time at the start where no-one knew there was a bug, you also have the long tail where the bug has been fixed, but the fix has not been deployed.)

Cheers,
Wol


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds