"but the availability of the source code means that anyone can."
"but the availability of the source code means that anyone can." is the old excuse trotted out by the open source fanboys.
Unfortunately it doesn't hold up to any degree of scrutiny:
• You are assuming "someone(s)" will "always" review the code
• You are assuming the "someone(s)" who do the code review are suitably qualified to do so and up-to date on their skillset
• You are assuming same "someone(s)" will review the code in a timely manner
• You are assuming same "someone(s)" will review the code after each new commit which might introduce new vulnerabilities or re-open old wounds.
• These "someone(s)" lead a real life with jobs / family / other commitments
• There are millions of Open Source projects out there and only a limited number of suitably qualified "someone(s)" to do the volunteer code audits for you
• The lower down the "free publicity" chain the "someone(s)" will get for finding bugs in your Open Source code, the less chance of them "volunteering" their time to audit
• In this day and age, the "someone(s)" are expecting a payment in return. If you're not offering a bounty, and you're not a high-profile open source project, the chances of a quality "someone" doing a code audit for you is remote !
Need I go on ?
Biting the hand that feeds IT
