>If you seriously think that all bugs in open source are found and magically fixed immediately
I don't think that at all. But, the heartbleed bug is an example of one which should have been, by all rights. It wasn't due to some complex crypto implementation, or an arcane syntactical edge case in C. It was a pointer bug. It was a simple, critical fault in a bit of software which had a lot of very qualified eyes on it, which a lot of people here would ridicule as a matter of course.
Now why, if something like that can happen with code most hackers and open source proponents care passionately about, should it be taken for granted that enough people are going to be validating dvd player and smart tv firmware for the end result to be better for the average end user than expecting whoever the manufacturer hires to do it?
It was a simple, critical fault in a bit of software which had a lot of very qualified eyes on it
Do we know this particular bit had had a lot of very qualified eyes on it? This is the problem with the eyeball theory. That a piece of code is open for anyone to read does not mean people who care actually read it. Everyone: it's open source, there are many of eyeballs on it, therefore I don't need to read it!
I'm trying to think of ways to make people wake up and routinely review the code and changes they use. You really don't need to be an expert programmer to spot a duplicated goto fail or the total lack of bounds checking.
From Robin Segglelman, the maintainer who "accidentally" added the heartbleed bug:
"""
...
OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project."
"""
I really think you should try joining and open source community and contributing some code. Then I suspect you'll understand that it is just as hard as any proprietary code (like that which I work on for $day_job). The difference is that Open Source code, even critical stuff that runs the internet, is often woefully understaffed and over expected to be perfect.
I don't think that at all. But, the heartbleed bug is an example of one which should have been, by all rights. It wasn't due to some complex crypto implementation, or an arcane syntactical edge case in C. It was a pointer bug. It was a simple, critical fault in a bit of software which had a lot of very qualified eyes on it, which a lot of people here would ridicule as a matter of course.
Now why, if something like that can happen with code most hackers and open source proponents care passionately about, should it be taken for granted that enough people are going to be validating dvd player and smart tv firmware for the end result to be better for the average end user than expecting whoever the manufacturer hires to do it?