>> To have fewer bugs due to an external audit, that external audit >> would have to happen, not just be possible. > Not necessarily. Just the threat of public embarrassment [...] could > cause open source developers to be more disciplined in the first > place. This hypothesis has been around for quite some time as part > of the "open source is better" hype.
> However, it is also unsubstantiated. I'm also not entirely certain it's as relevant as the discussion makes it sound. As someone who insists on source code (not necessarily open source by any of the various definitions floating around - but if *I* don't have source, I don't run it), my reasons aren't so much that I think it likely to be more nearly bug-free as much as that if I suspect a bug, I can go check, and if I encounter a bug, I can go fix it. Or at least much more nearly so. I've run into bugs in gcc that I am not competent to fix, but I've been able to fix a much higher proportion of the bugs (and nonbugs that I desire to have changed, such as feature enhancements) I've run into when I've had source than when I haven't. However, until a significant fraction of the market starts making similar choices, it won't have any significant effect on the mandates handed from managers to coders - and shops where managers hand out orders to coders are still where almost all of the code comes from, whether in terms of number of programs, number of lines, number of copies run, whatever. I've seen indications that this is starting to happen, which I (being a fairly strong source-code bigot) find encouraging. But they're still just preliminary rumblings. I'm not sure whether this list's focus is more "how do we write code more securely, assuming we have the mandate to do so" or "how do we cause more of the code written to be more secure" (or perhaps something else). /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML [EMAIL PROTECTED] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
