Open source still the best way to develop software

Study finds that many popular open source software programs contain significant security holes

A recent report claims that one of the fundamental benefits of open-source development, the co-called Law of Many Eyes is wrong. The idea behind the law is that since anyone can read the source code and find problems with it, they can then either fix them or report them back to the community. The end result is that you get better software.

The study, by Fortify Software, a company that makes development tools for checking security, found that many popular open source software programs contain significant security holes. I can't take this study too seriously. After all, what else is Fortify going to say? "Open-source's Law of Many Eyes works great. You don't need our products?" I don't think so.

Here's what I think. I think the Law of Many Eyes, or as Eric Raymond phrased it in his seminal work on open source, The Cathedral and the Bazaar, "given enough eyeballs, all bugs are shallow," does work. All you need do is watch how quickly open-source projects progress and how quickly they fix bugs to know that.

However, there's nothing magical about the Law. Just because bugs are easier to find and fix, doesn't mean that all bugs are found quickly or fixed quickly. People who actually work in open source already know this.

For example, in late June, Mark Shuttleworth, Ubuntu Linux's founder, wrote in his blog that while Ubuntu is doing a good job of finding and fixing bugs both its own Linux distribution and with other associated programs like GNOME and Mozilla, it could do better. Shuttleworth wrote, "When I delved into the data to see how we do with pushing bugs upstream, I found a somewhat mixed picture. In many cases, we do very well indeed. We have a very good relationship with GNOME, for example, with a very high percentage of bugs appropriately forwarded to the relevant upstream bug tracker. In other projects, it's harder to make a definitive statement. The percentage varies based on whether the Ubuntu team members have good relationships upstream, or whether there's a person acting as an ambassador from Ubuntu to upstream.

In other words, cross-project communications can be a problem. If one set of eyes sees a problem, but what they see is never reported to a project's developers, then the Law of Many Eyes is less effective.

Shuttleworth concluded, "We need to improve the tools that support these kinds of cross-project conversations. Launchpad [a set of integrated development tools] that support collaboration and community formation] does currently allow us to track the status of a bug in many different bug trackers, and there are quite a few distributions and upstreams that are now either using Launchpad directly or exchanging data efficiently. We'll keep working to improve the quality of exchange across the whole ecosystem, including those projects that don't use Launchpad themselves."

I could cite other examples, but the point is that open-source developers already know that the Law by itself doesn't automatically make things better. It only works when it's actively used. Thanks to efforts like Launchpad, it does become easier to put the Law into practice.

At the same time, Fortify is right about one point. Open-source developers could better use of security debugging software. Some projects already do this. For example, I know that Samba, the CIFS (Common Internet File System) server, makes use of Coverity's code scanning tools. More open-source projects could, and should, make use of these tools.

The Many Eyes approach isn't broken. It just needs to be taken for what it really is, just an excellent, but not miraculous, way of fixing software. With platforms like Launchpad making it more effective and security bug checking software, we can expect to see better, more secure open-source programs. Software, I might add, that I expect will continue to be better than its closed-source counterparts.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?