Free software's not-so-eXZellent adventure

Posted Apr 11, 2024 10:00 UTC (Thu) by farnz (subscriber, #17727)
In reply to: Free software's not-so-eXZellent adventure by raven667
Parent article: Free software's not-so-eXZellent adventure

I don't think you can complacently _rely_ on someone detecting these things quickly, the idea that "many eyes makes bugs shallow" doesn't address the governance model that directs and pays someone to actually look beyond their hobby/curiosity, but the thing with backdoors/bugs in open source is that they are detectable and once they are detected we have the tools to do comprehensive analysis out in the open as well, so they are high-risk for the attacker as it only takes one curious "huh, that's weird" to blow the whole operation.

FWIW, I've always interpreted "many eyes make bugs shallow" as "once a bug has been identified, people will find the root cause and a good fix quickly", and not "all bugs will be found quickly". This meaning of the phrase still applies here - the bug was found (via a mix of chance and Andres Freund's hard work) a long time after it was introduced, but it took very little time to find the root cause and a fix for the bug once it had been identified.