Dan Goodin, Ars Technica:
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
Goodin argues that the bug is worse than Apple’s highly publicized “goto fail” bug, as it appears that it may have gone undetected since 2005.
I’d like to pretend I’m above feeling a bit of schadenfreude given that some of the loudest critics of Apple tend to be the open source zealots, but I’m not. One of the more religious aspects of Open Sourcitude is the insistence that all software ills stem from proprietary, closed source code. If the code is open, then in theory there should be fewer bugs, more opportunity for new features, and a lower chance of the software dying due to abandonment by its original developers for whatever reason.
But in actual, real world practice, software with few users tends to stagnate; software that becomes popular tends to keep being developed. This holds true regardless of the license and access to the source code. There are a lot of fossilized open source projects out there, and a lot of commercial products with vibrant communities. Being open source helps create such communities for certain kinds of applications (mostly developer tools), but it’s neither necessary nor, in and of itself, sufficient. And no one—not even the most passionate open source developer—ever says something like, “You know what I’d like to do tonight? Give GnuTLS a code security audit.”