万维百科英文版

Linus's law本文重定向自 Linus's Law

In software development, Linus's law is the assertion that "given enough eyeballs, all bugs are shallow".

The law was formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar (1999), and was named in honor of Linus Torvalds.[1][2]

A more formal statement is: "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone." Presenting the code to multiple developers with the purpose of reaching consensus about its acceptance is a simple form of software reviewing. Researchers and practitioners have repeatedly shown[citation needed] the effectiveness of various types of reviewing process in finding bugs and security issues[3].

Validity

In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".[5][6]

The persistence of the Heartbleed security bug in a critical piece of code for two years has been considered as a refutation of Raymond's dictum.[7][8][9][10] Larry Seltzer suspects that the availability of source code may cause some developers and researchers to perform less extensive tests than they would with closed source software, making it easier for bugs to remain.[10] In 2015, the Linux Foundation's executive director Jim Zemlin argued that the complexity of modern software has increased to such levels that specific resource allocation is desirable to improve its security. Regarding some of 2014's largest global open source software vulnerabilities, he says, "In these cases, the eyeballs weren't really looking".[9] Large scale experiments or peer-reviewed surveys to test how well the mantra holds in practice have not been performed.

See also

References

  1. ^ Raymond, Eric S. "The Cathedral and the Bazaar". catb.org.
  2. ^ Raymond, Eric S. (1999). The Cathedral and the Bazaar. O'Reilly Media. p. 30. ISBN 1-56592-724-9.
  3. ^ Pfleeger, Charles P.; Pfleeger, Shari Lawrence (2003). Security in Computing, 4th Ed. Prentice Hall PTR. pp. 154–157. ISBN 0-13-239077-9.
  4. ^ Glass, Robert L. (2003). Facts and Fallacies of Software Engineering. Addison-Wesley. p. 174. ISBN 0-321-11742-5. ISBN 978-0321117427.
  5. ^ Howard, Michael; LeBlanc, David (2003). Writing Secure Code, 2nd. Ed. Microsoft Press. pp. 44–45, 615. ISBN 0-7356-1722-8.
  6. ^ Howard, Leblanc. p 726.
  7. ^ Bruce Byfield, "Does Heartbleed Disprove 'Open Source is Safer'?", Datamation, April 14, 2014 [1]
  8. ^ Edward W. Felten, Joshua A. Kroll, "Heartbleed Shows Government Must Lead on Internet Security" = "Help Wanted on Internet Security", Scientific American 311:1 (June 17, 2014) [2] doi:10.1038/scientificamerican0714-14
  9. ^ a b Kerner, Sean Michael (February 20, 2015). "Why All Linux (Security) Bugs Aren't Shallow". eSecurity Planet. Retrieved February 21, 2015.
  10. ^ a b "Did open source matter for Heartbleed?".

Further reading


本页面最后更新于2019-11-15 14:18,点击更新本页查看原网页

本站的所有资料包括但不限于文字、图片等全部转载于维基百科(wikipedia.org),遵循 维基百科:CC BY-SA 3.0协议

万维百科为维基百科爱好者建立的公益网站,旨在为中国大陆网民提供优质内容,因此对部分内容进行改编以符合中国大陆政策,如果您不接受,可以直接访问维基百科官方网站


顶部

如果本页面有数学、化学、物理等公式未正确显示,请使用火狐或者Safari浏览器