what do you think?

Adam Williamson awilliam at redhat.com
Tue Feb 16 15:53:30 UTC 2010


On Tue, 2010-02-16 at 08:33 +0200, cornel panceac wrote:
> is this wrong?
> 
> Microsoft’s Many Eyeballs and the Security Development Lifecycle
> http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx

"In product after product, Microsoft continues to ship fewer
vulnerabilities than our competitors. Look at the results from Jeff
Jones blog: http://blogs.technet.com/security/. Jeff is a Microsoft guy,
of course, and thus not an entirely impartial source."

*exhales coffee at high velocity*

The issues with Jeff Jones' posts are well-known, and this kind of thing
is exactly why I wish he'd stop making them. I think Jeff's an
interesting guy who genuinely has good intentions in what he does, but
the problem is his posts then get used for simple-minded 'ours is bigger
than yours, la la la' crap like this, which I doubt Jeff really
intended.

Aside from that, the correct answer to the question is "it's impossible
to know", because Microsoft will never actually give you a
straightforward answer to the straightforward question "who exactly is
involved in ensuring the correctness and security of Microsoft's code,
and how do they do this?" They just expect us to take long-on-bluster,
light-on-facts blog posts like this as gospel and trust that they have
everything under control. Which is the advantage (as far as they're
concerned) as the disadvantage (as far as others are concerned) of the
proprietary model.

His conclusion is simply off, too. "But the many-eyeballs epithet is an
implicit assertion that code review is the only thing that matters"
simply isn't really the case. Or if it is, it's a straw man. No matter
what ESR wrote in a single-topic piece nearly a decade ago, I don't know
of anyone actually involved in open source security who believes that
all anyone needs to do is assert Many-Eyes-Code-Review to make their
code magically safe. So either Shawn is cynically misrepresenting the
open source security community, or he genuinely - but mistakenly -
believes that's the case.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net



More information about the test mailing list