Last week, I responded to some of James Coplien's remarks concerning what customers expect from their software. At the ACCU conference last month, Coplien also talked about the security advantages enjoyed by a distributed, independent development community:
Security is a system concern--it is a complex system. How does nature deal with complex systems? Each cell does its own thing. The complementary, independent, selfless acts of thousands of individuals [in the open source community] can address system problems--there are thousands of people making the system stronger. If it was uncoordinated, it wouldn't work, but there is a core of developers at the center.
This is a bit confusing, as he praises the distributed, independent nature of the open source development community and then turns around and says it wouldn't work without central control. But that's partly due to the nature of software. Software needs to be broken down into smaller parts that are manageable in distributed development, and the resulting pieces need to be assembled centrally. So, the confusion isn't on his part.
I do think, though, that what he is describing is not that far off from what happens in proprietary systems. It's not like 10 people developed Windows. The Windows team is very large, certainly larger than the core team of Linux contributors. Furthermore, the team extends beyond Microsoft to include third parties making components for Windows.
I also think that the ecosystem of companies oriented around the Windows platform makes a "selfish" version of the "selfless" individuals who contribute to Linux. (Not to mention an ecosystem more likely to make products regular consumers actually want, as contributors aren't just "scratching itches" -- but that is an issue for another blog post.) Granted, they don't all have access to source code, which makes the discovery of bugs harder, and makes indentifying them properly to Microsoft harder still.
That's offset, however, by the fact that Microsoft has such a huge user base that daily bangs on the base platform. That user base includes regular consumers (whom Microsoft has enabled to make "bug reports" through the error reporting feature that gives them the option of sending error details to Microsoft) as well as companies/developers that build products for Windows. They work with less information than some Linux developers/users (remember, not every Linux user is a developer who can use source code, and large organizations can access Windows code), but there are so many more of them, making bugs more shallow by brute force. Ten cops ferreting out an escaped criminal might be more effective as individuals if they are given schematics of the building where the criminal is hiding, but send in 1000 cops with no schematics and they'll find him faster.
So, open source software's bug-hunting advantage in terms of increased knowledge of a system due to access to source code (which only applies to some users of Linux) is offset, IMO, by the sheer numbers of users of Windows. I might add that Microsoft is closing the information gap even more by slowly loosening the restriction on access to source code. Not every Linux user takes advantage of access to Linux source code, and not every Windows user has access to Windows source code. Through tweaks in the shared source system, though, Microsoft might be getting closer to a de facto information parity.