given enough eyeballs all bugs are shallow
There are 2 problems with that sentiment.
Not all eyes are equal
It doesn’t matter how many accountants look at my code. Their eyeballs will not find a single bug because accountants don’t understand code.
Most open source projects don’t have eyeballs to spare
The theory is that open source is better, more secure and has less bugs because many programmers read the code and contribute back more code, bug fixes and documentation.
In reality lack of contributors is the biggest problem of every open source project I’ve ever seen.
Even the most popular, most visible projects like Linux kernel, Apache or FireFox, don’t have enough developers.
The smaller the project, the worse it gets.
This has real life consequences:
- commercial software has full-time programmers working on the code. There are more eyeballs looking at commercial code than looking at open-source code
- if you want eyeballs on your open source project, you have to plan for it