This might seem like a nitpick, but I think you're confusing two distinct camps here: let's call them "Open Source" and "Free Software".
Open Source advocates -- such as Eric S. Raymond -- believe that it is superior on technical grounds, the "many eyes make all bugs shallow" theory. They tend to disregard ideology and instead believe OS is the rational decision of those who want technically better software. In my opinion this is not always true, as Heartbleed shows (but then again who knows how many undisclosed vulnerabilities are there in existing proprietary software! At least now we know about Heartbleed!)
Free Software advocates -- such as Richard Stallman and the FSF -- believe it's a matter of ideology. This has little to do with technical quality. They say "sure, if the software is better that's a plus, but freedom is a matter of principle to us".
I'm not a zealot but I tend to side with the Free Software camp, and I don't see how the OpenSSL fiasco undermines their ideology.
PS: I also take issue with the "paid security researcher" remark. Absolutely nothing in either Free or Open Source excludes paid personnel or private companies from the equation. Hobbyist programmers are not the only ones accepted. I don't understand why you see this as extraordinary.
PS: I also take issue with the "paid security researcher" remark. Absolutely nothing in either Free or Open Source excludes paid personnel or private companies from the equation. Hobbyist programmers are not the only ones accepted. I don't understand why you see this as extraordinary.
I never meant to imply paid researchers should not work on it. What I meant is:
The whole world can see every line of code in Linux. This is one of the reasons Linux is more secure than other operating systems and why open-source software overall is a safer than closed software. The transparency of the code ensures it’s secure. - Linux Foundation executive director Jim Zemlin
What happened in the case of Heartbleed? The security flaw was found by paying someone to work on the security.
I meant to mock this: The transparency of the code ensures it’s secure., mocking it by noting that nobody cared to look for or fix that bug because OpenSSL was important, because it was widely used, because it was interesting, because it was open source, because it was a puzzle, just for something to do one rainy day. Only when someone was paid to do it did it get done. Therefore the "open source is more secure" claim is a nonsense.
It's more secure because someone was paid to work on it. The claim that "open source did it" is snake oil.
In this case, you're right. I don't know that I would make a general rule out of it, though. Maybe in general open source helps, but in this case (for several reasons, including that OpenSSL seems to be a barely understandable mess, or "written by monkeys" as some put it) it didn't.
I agree that thinking "open source magically makes software better and more secure" is absurd. I also agree that Jim Zemlin's statements (in general, in that article) are more of a PR thing than accurate statements.
I do see the distinction between open source and free software, but I'm not sure it applies here. This bit of your comment particularly:
They tend to disregard ideology and instead believe OS is the rational decision of those who want technically better software.
If ESR is writing software in the way he thinks results in better software ... how come I know who he is? Because he's not doing that, he's doing more than that.
I don't know if he prefers working in the mornings or evenings. I don't know how he backs up his work. I don't know whether he prefers a laptop screen or an external display or who he trusts to contribute to it - presumably he made rational decisions there for the benefit of his software, and didn't feel the need to tell the world all about it.
Yet when it comes to open source, he does more than "choose the best option for his software and use it", he also: spreads the word, advocates for it, tries to convince others. Wikipedia says "Raymond was for a number of years frequently quoted as an unofficial spokesman for the open source movement."
By contrast, there is no comparable "closed source movement" which organizes conferences and runs websites and talks to journalists and advocates in favour of closed-source development because it makes software better. There's no popular closed-source unofficial spokesperson I can point to whom you recognise.
I argue that people pushing "open source produces better code" are making that an ideology of its own, separate from anything to do with Stallman and 'free as in speech'.
And it's that ideology of 'Open Source leads to technically better software' which Heartbleed is showing up as weak and oversold. You agree that it's "not always true". My point is that Open Source proponents make it seem like should be "always true", like there's a very strong case for it. And I say that Heartbleed shows there isn't.
'Everyone' knows about bounds checking in C. Everyone knows about not trusting input from a remote machine without verifying it. Everyone knows about being extra tip-toe careful around cryptography software because it's high importance and brittle. What did OpenSSL do about it? Nothing.
Almost as if Open Source made no difference at all, and what matters about developing trustworthy software is people, welcoming communities, a thousand cultural decisions setting and holding patterns of procedures to systematically catch common errors in C, common errors in network code, common errors in security, common errors in memory managment, add regression tests, encourage documentation, add compliance tests, etc. etc.
Open source does not automatically lead to better software.
And many people strongly imply that it does, automagically, lead to better software.
(The fact that OpenSSL still became popular and widely used despite being a mess is if anything a win for 'free as in speech' - anyone can do any due diligence they want on the OpenSSL code, make their decision to use it for any project, fork and patch and modify it as they go. On that front it's a massive win for that ideology).
I agree with you that open source does not automatically lead to better software.
Now that you've clarified you weren't talking about RMS's "free as in speech" ideology, I retract my nitpick.
I wouldn't say open source doesn't matter in regard to quality and security, though, but I agree with you on the importance of the other factors you mention. I do wonder what would have happened with a similar bug/exploit in a piece of commercial software. Who knows? Maybe it's already there and we simply don't know about it, and there are fewer people looking at it.
Open Source advocates -- such as Eric S. Raymond -- believe that it is superior on technical grounds, the "many eyes make all bugs shallow" theory. They tend to disregard ideology and instead believe OS is the rational decision of those who want technically better software. In my opinion this is not always true, as Heartbleed shows (but then again who knows how many undisclosed vulnerabilities are there in existing proprietary software! At least now we know about Heartbleed!)
Free Software advocates -- such as Richard Stallman and the FSF -- believe it's a matter of ideology. This has little to do with technical quality. They say "sure, if the software is better that's a plus, but freedom is a matter of principle to us".
I'm not a zealot but I tend to side with the Free Software camp, and I don't see how the OpenSSL fiasco undermines their ideology.
PS: I also take issue with the "paid security researcher" remark. Absolutely nothing in either Free or Open Source excludes paid personnel or private companies from the equation. Hobbyist programmers are not the only ones accepted. I don't understand why you see this as extraordinary.