Code reviews [Was: FWTK and smap/smapd]

["Marcus J. Ranum" <mjr () ranum com>]

Paul D. Robertson wrote:
> In Open Source projects, is there some sense that moving the testing out to the 
> customer isn't as bad as it is in commercial development, as that's their 
> cost of goods?  My gut is that sometimes that adds good eyeballs that 
> wouldn't have looked otherwise, but is that accurate?

My experience with the firewall toolkit is somewhat dated, but if
I were to guess, 95% of the emails I got to fwtk-bugs were from
idiots who were too lazy to read the README or who didn't know
how "make" worked. Of the remaining 5%, there was a breakdown of
a smattering of genuine bugs or reasonable feature requests, as
well as a few design queries. But, of the "10,000 eyeballs" effect,
only a few dozen of those eyeballs were any good. And Carson was
so darned insufferable about the patches he sent in that even though
he was right I wished he'd go away. ;)

I think relatively few people look at the code nowadays - it's
almost certainly lower proportionally than it used to be. But the
number of eyeballs has, perhaps gone up. The whole concept of open
source code review is very dubious to me, since the typical open
source package is hugely bloated with features and portability
hacks, comes with a convoluted "configure" script and - well - in
the face of that why not just install the rpm?

mjr.
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards