Do Firefox browser bugs matter?
No program is perfect, but bugs in open source software are less of a problem, says technology analyst Bill Thompson. The Firefox open source browser is full of bugs, some of which are rather serious. In March Danish security firm Secunia reported that it had found eight. Some could be used to trick users into giving away confidential information. Others could let hackers get access to people's computers. Every few days there are new ones. In fact the little red button that tells you a "critical" update is available appears almost weekly, sending users off to the website to get the new version and fix yet another bug or security hole. Since one of the main reasons people give for moving to Firefox from Microsoft's Internet Explorer (IE) is that IE is full of bugs and vulnerable to attack, this might seem to show that it does not matter which browser you use, since you are still going to be in trouble.
What is interesting to me is that how many people outside devteam are reviewing patches and fixes devs provide?
For my experience as OSS developer and user makes this statement rather doubtful. Seems like many say: "Oh I can look into the code and fix it by myself". This may be so for small projects with limited number of users. But speaking about big software projects like FF, is it so? Are there any figures like number of patches devs receive monthly form outer world comparing to the number of devs patches?
Another thing to consider: Many critics of open source contend that with the source code available, it will be easier for the black hats to find holes to exploit. Of course the white hats have access too.
There's the standard OSS philosophy, that just having enough people looking will make it more likely that the good guys will find te bugs first, plus there's the fact that expert security researchers (Secunia, for instance) -- if they are so inclined -- are able to investigate OSS software more easily than closed source. Even if they're not the ones fixing the bugs, the fact that the good guys are finding them and telling the developers should, in theory, mean more rapid progress in fixing vulnerabilities on a high-profile OSS project than a high-profile proprietary one.Comment by Kelson at April 26, 2005 05:56 PM | Permalink
Bug 283730 matters!!