Eric Cordian wrote:
An interesting occurrence, because it demonstrates that massive numbers of open source participants auditing the code aren't sufficient to ferret out every giant coding blunder.
I've heard that argument before (last time I heard it was a problem with a PGP implementation) and I never understand what people are trying to prove when they say it. Are you saying that the Open Source model isn't as good as proprietary "we'll-fix-it-if-we-feel-like-it" models? Are you saying that Open Source isn't the promised land like you were... um, promised? Are you saying that Open Source model shouldn't be used for anything that concerns security? I honestly don't know what you're getting at. So Open Source is not a perfect solution. In its defense: - you had the opportunity to hire a team of 50 to examine the code - the solution was made known to you - you can reject this solution and write your own if you prefer none of which would have been true if this were proprietary code. There's so many good things about this model - it seems silly to argue that Open Souce doesn't live up to the unrealistic hype that the guys on Slashdot promised you. - Eric Tully