Exit Full View

With enough eyes all bugs are shallow

This is an old phrase, which is, IMHO, meaningless.

  • There aren't ever enough eyes. Resources are always limited.
  • To find the last bug would require an infinite amount of eyes, so even with limitless resources, bugs would still occur.

But the phrase also implies that we should tackle bugs using brute-force. WTF? No!

Work smarter, not harder.

Most bugs are fixed / created before a single line of code is written.

  • Choose a managed language to reduce memory leaks.
  • Design with Weak References to reduce memory leaks further.
  • Languages that treat null-pointers/references as special eliminate null-pointer exceptions. e.g. Choose Kotlin over Java/C#
  • A design using immutable objects will greatly reduce the bug-count.

BTW, I'm not suggesting that all projects should use memory-managed languages etc.But you should consider the options before writing the first line of code.

Security

Security bugs are never found by general users, only by testers/security experts. i.e. Most eyes aren't looking in the right places, so they will never see the bugs.

But again, work smart, not harder.

Why can't I buy a home PC with a button / jumper inside (or outside) the case which enable write-access to firmware? There are so many critical security bugs which would be eliminated by such a button/jumper. These were very common, now they are nowhere to be seen in commodity hardware.

No. I don't want my BIOS or my CPU's management engine to be writeable via the internet (unless I hold down that button or flip the jumper).

If hardware has writeable permanent memory (EEPROM, SDRAM etc), it needs a physical write-enable switch to be secure.

It was somewhat acceptable to be slack about security before the internet was a thing. But we are *still* slack today. Convenience still trumps security. Grr.