Good example: Chromium blob found by Debian (via LWN)

Florian Weimer fw at
Tue Jun 30 20:08:21 UTC 2015

* Bernhard Reiter:

> We all know that the review that is actually happening
> is really important for raising the quality of software.
> Free Software always enables third party peer review,
> which makes it an important precondition for good security.
> Here is an example where the peer review of Debian
> found an issue that - most likely - slipped the Google devs.

I find it difficult to fit this comment to the available facts.

The issue was discovered based on application behavior.  Application
behavior is independent of source code availability.

You don't have to be a peer to spot anomalous application behavior.
For widely used software, I expect that most anomalies are spotted by
end users who are not developers.

Google keeps the download code in Chromium to reduce divergence
between the open and closed code bases (yes, “keeps“, it's still
there, only that there is now a build switch).  As far as I can tell,
this is a deliberate choice, and the developers were genuinely
surprised by the public reaction.

More information about the Discussion mailing list