Steven J. Vaughan-Nichols
Best Argument: Yes
Audience Favored: No (65%)
All open source software is not created equal
Ed Bott: I love Open Source software. I find it hard to imagine a world without Apache, WordPress, and Firefox, to name three easy examples.
But the world is not a better place because of a horrible security flaw in another Open Source package, the widely used OpenSSL library that existed on web servers for more than a year. The Heartbleed flaw exposed just about everyone who has ever used the Internet to potentially catastrophic losses.
So what happened to the “many eyeballs” that were supposed to inspect that code and find the bugs? Alas, there weren’t enough funds to pay for those eyeballs. Even after the flaw was discovered and donations increased, there’s still not enough money to sustain development properly. And that story, not enough backing and not enough skilled developers, is true for many, many projects.
There’s nothing magical about Open Source, nothing evil about closed source. What matters is that the project be run by an organization that has the resources to write, test, ship, deploy, and maintain code properly. The idea that any Open Source project can be widely used even if it doesn’t have proper backing has to end.
It wasn't a failure of open source
Steven J. Vaughan-Nichols: Seriously? That's the question? Come on!
Make no mistake about it. Heartbleed was open-source's worst hour. But, it wasn't a failure of open source per se. It was a failure to actually practice open-source development methods.
Every developer makes programming blunders. One of the big reasons why open source works is to quote Linus's law, as proclaimed by Eric S. Raymond, in his seminal essay "The Cathedral and the Bazzar" is that "Given enough eyeballs, all bugs are shallow."
The problem with OpenSSL that let the Heartbleed blunder in is that no one really looked at the code. Heck, it seems not even the NSA looked at the code!
In short, the recipe is still fine, but only if the cooks actually follow it! Of course there are reasons why people don't this. One of the biggest seems to have been simply paying people to look for bugs. To fix that problem the Core Infrastructure Initiative, made up of top tech companies including Amazon, IBM, Intel, and VMware, will now be sponsoring important, but underfunded, open-source projects.
With cash in hand, and people sticking to the true open-source method, I don't see a repeat of Heartbleed coming up anytime soon.