I think your analysis is irresponsible and fallacious.
ESR is making a completely valid point, and the underlying premise of his theory---that having software open to review can help---is only confirmed by this incident, not rejected.
Specifically: If GnuTLS were closed source, this problem would likely never be publicly discovered and disclosed.
So overall, ESR's theory is accurate and useful.
Note the word "almost" in the theory, which serves as a (completely valid) escape hatch (that you are mistakenly neglecting) for incidents like this---which fit the underlying premise, but are "corner cases" rather than "common cases."
If it is open source, as in a Debian release, an end user's recourse is to fix it themselves.
If it is commercial, be it closed source or not, an end user's recourse is to sue the supplier (or something similar).
The commercial supplier has a financial incentive to get it right, the open source developer has an intellectual and street cred incentive to get it right. I'm not sure which one actually works better, I know that the popular opinion is the ESR eyeballs claim but it's not clear to me which gets it more correct. Seems like they both fail at times.
> If it is commercial, be it closed source or not, an end user's recourse is to sue the supplier (or something similar).
Are there examples of doing this successfully? As far as I can tell, software manufacturers have largely been successful at avoiding traditional product liability for damages caused by malfunctioning software, through a mixture of EULAs and courts buying the "but software is different" argument. Here's an article series on that: http://www.newrepublic.com/article/115402/sad-state-software...
The commercial supplier has a financial incentive to get it right
Is this why Microsoft dominated the market for 15 years with the worst security model of all contemporary operating systems?
How many lawsuits were successfully pressed against Microsoft for losses due to their crappy security implementation? Forget about successfully, how many were even brought against them? Of those brought against them, how many were from companies not large enough to have their own legal departments?
>The commercial supplier has a financial incentive to get it right
Is this why Microsoft dominated the market for 15 years with the worst security model of all contemporary operating systems?
No, that's why Microsoft after XP tightened their security. Because they had an incentive to "get it right".
>I have better things to do than wait 15 years for a vendor to look at fixing a serious issue.
Perhaps, but that's just one aspect.
For most of those 15 years there wasn't a better supported, friendlier to the common user, with tons of desktop and business software and compatible with almost all hardware, OS available.
They had an even more incentive to get that right first, and they did.
> If it is commercial, be it closed source or not, an end user's recourse is to sue the supplier (or something similar).
That is assuming the supplier is still in business, which is probably a dubious proposition for a majority of commercial software that has ever shipped.
Something can be open source and used commercially. Apparently this bug was found via an audit by RedHat, which obviously is a commercial company that uses GnuTLS.
Don't mistake me as a zealot, though. There is a place for open source and there is a place for closed source. AFAIK, that is also ESR's point, and why he broke ranks with Stallman, who claims that closed source is evil.
There are also many reasonable ways for closed source software (or more accurately "non-free proprietary software") to make the sources available for review, but not give away all the rights. Like "Microsoft Shared Source Common Language Infrastructure", etc.
Of course it's better for software to be free / open source, but it's nonsense to imply that only open source software has the potential to be seen by "many eyes".
My eyes are still red and sore from staring at the MFC source code before the turn of the century.
Why wouldn't it be discovered? As I understand, it was discovered by audit of an interested party. That happens to closed-source software too. If GnuTLS were a proprietary product of RedHat, of sold by proprietary company to RH while allowing RH to audit, but not publish, the source, the result would be the same. Disclosure might not happen, but discovery still would.
ESR is making a completely valid point, and the underlying premise of his theory---that having software open to review can help---is only confirmed by this incident, not rejected.
Specifically: If GnuTLS were closed source, this problem would likely never be publicly discovered and disclosed.
So overall, ESR's theory is accurate and useful.
Note the word "almost" in the theory, which serves as a (completely valid) escape hatch (that you are mistakenly neglecting) for incidents like this---which fit the underlying premise, but are "corner cases" rather than "common cases."