Can we please stop saying open source is more secure?

I’ve argued for a long time the "open source means more eyeballs means more secure" argument was complete bunk. I’m not particularly happy that the GnuTLS bug – which appears to have been there for up to nine years – has shown I was right. As John Moltz puts it:

This SSL bug may have been in the code for nine years. Please, tell me again that trope about how Mac users blindly think their computers are invulnerable to attack. And it’s not like it’s the only one the platform’s had.

The point is not how many eyeballs look through code (and as Watts Martin points out, no one looks through a lot of that old code). It’s the quality of the eyeballs which matters. If a hundred mediocre coders look through a bunch of code, they’ll never see the same issues that a single really good one will see. People aren’t functionally equivalent units of production.

As Steve Jobs put it:

"In most businesses, the difference between average and good is at best 2 to 1, right? Like, if you go to New York and you get the best cab driver in the city, you might get there 30% faster than with an average taxicab driver. A 2 to 1 gain would be pretty big.

"The difference between the best worker on computer hard-ware and the average may be 2 to 1, if you’re lucky. With automobiles, maybe 2 to 1. But in software, it’s at least 25 to 1. The difference between the average programmer and a great one is at least that.

"The secret of my success is that we have gone to exceptional lengths to hire the best people in the world. And when you’re in a field where the dynamic range is 25 to 1, boy, does it pay off."