Two very different news articles crossed my desk today. First, there was a report that open source developers on 32 projects fixed 900 bugs in two weeks that were reported by an automated scan program from Coverity, sponsored by a grant from U.S. Homeland Security. Second, a presentation was given by a Microsoft security official who said that rootkits, phishing, trojans, spyware, and other forms of malware had gotten so bad on Windows that IT departments needed to come up with a fast way to "nuke the systems from orbit", i.e., wipe out the hard drive and start over. He goes on to say that phishing is a problem because "there really is no patch for human stupidity".
Suppose for a moment that popular open source systems like Linux or Samba were suddenly under the same wide ranging attacks that the proprietary Microsoft systems are under now. What do you think would happen?
I predict that lots of people, all over the world, would get fed up and start fervently scanning for holes, first by hand and then by ever more sophisticated automated scans over the source code and analysis at run time. Lists of bugs would be created, reputations put on the line, and those lists would be pounced upon by some of the same people that pounced on the Coverity list.
While the problem would not be solved in two weeks, there would certainly be a heck of a lot of progress in a hurry, compared to the years of fixes that have trickled out of Redmond. Users are plenty fed up now, but what can even knowledgeable users do to help without the source code? Nothing.
What do you think? Which is inherently more *securable*, open source or closed source?