If you don't actually audit the hundreds of thousands or millions of lines of code comprising an open source application stack you don't have a guarantee of what's happening either.
Bugs like Heartbleed demonstrate that massive vulnerabilities can be introduced and persist in well-regarded open-source codebases for long periods of time without detection in spite of theoretical "millions of eyes". Heartbleed was, to the best of our understanding, the result of an honest mistake. What's to say that any significant OSS codebase with thousands of committers doesn't have a substantial number of subtle and less-than-honest "mistakes" of a similar character?
pierreozoux|10 years ago
RodgerTheGreat|10 years ago
Bugs like Heartbleed demonstrate that massive vulnerabilities can be introduced and persist in well-regarded open-source codebases for long periods of time without detection in spite of theoretical "millions of eyes". Heartbleed was, to the best of our understanding, the result of an honest mistake. What's to say that any significant OSS codebase with thousands of committers doesn't have a substantial number of subtle and less-than-honest "mistakes" of a similar character?