They further elaborate that security by obscurity is a poor approach though

galangalalgol · on June 2, 2023

We see time and again that more eyes on open source doesn't count for a ton either. We had a relatively simple use after free in the kernel just a couple months ago that had been there for a long time. The benefit of open source is that we could demand and verify good testing and analysis for foundational bits of code, but we don't.

doesnt_know · on June 3, 2023

> we could demand and verify good testing and analysis for foundational bits of code, but we don't.

Who would you take these demands to? Most foss software is written and managed by volunteer maintainers, if you start demanding things from them they will rightfully tell you to jog on.

Even when they are not volunteers, they are likely employees of companies that fund this development largely because they require and rely on the software. In which case, they likely have priorities set that are aligned with that company and the needs of other users are low priority at best, but more likely largely irreverent.

galangalalgol · on June 3, 2023

The people who donthe testing and analysis don't have to be the authors. If I do something for fun, and a faang makes a double digit percentage of the world gdp depend on it's security, then I would hope we demand the company who benefits ensure that security in an open way or choose other software. But that would cost more.