On Tue, 2010-02-16 at 08:33 +0200, cornel panceac wrote: > is this wrong? > > Microsoft’s Many Eyeballs and the Security Development Lifecycle > http://blogs.msdn.com/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx "In product after product, Microsoft continues to ship fewer vulnerabilities than our competitors. Look at the results from Jeff Jones blog: http://blogs.technet.com/security/. Jeff is a Microsoft guy, of course, and thus not an entirely impartial source." *exhales coffee at high velocity* The issues with Jeff Jones' posts are well-known, and this kind of thing is exactly why I wish he'd stop making them. I think Jeff's an interesting guy who genuinely has good intentions in what he does, but the problem is his posts then get used for simple-minded 'ours is bigger than yours, la la la' crap like this, which I doubt Jeff really intended. Aside from that, the correct answer to the question is "it's impossible to know", because Microsoft will never actually give you a straightforward answer to the straightforward question "who exactly is involved in ensuring the correctness and security of Microsoft's code, and how do they do this?" They just expect us to take long-on-bluster, light-on-facts blog posts like this as gospel and trust that they have everything under control. Which is the advantage (as far as they're concerned) as the disadvantage (as far as others are concerned) of the proprietary model. His conclusion is simply off, too. "But the many-eyeballs epithet is an implicit assertion that code review is the only thing that matters" simply isn't really the case. Or if it is, it's a straw man. No matter what ESR wrote in a single-topic piece nearly a decade ago, I don't know of anyone actually involved in open source security who believes that all anyone needs to do is assert Many-Eyes-Code-Review to make their code magically safe. So either Shawn is cynically misrepresenting the open source security community, or he genuinely - but mistakenly - believes that's the case. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org http://www.happyassassin.net -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test