[liberationtech] Communities needed to mitigate heartbleed type bugs

[Nick]

I took the liberty of changing the subject line to something that 
hopefully somewhat summarises your email.

Quoth Arnaud Legout: 
> As polemical as it can be, deeply-held belief such as "I will always
> go for open source code because its security will
> be much higher than any closed source counter parts" should be
> seriously reconsidered
> when there is not a strong community of developers working on code
> maintenance.

There is a lot of shitty code around. That has always been the case, 
and will always be so. Anyone who has used the OpenSSL codebase or 
looked at it even briefly has seen that it's shitty years ago, and 
probably won't have been too surprised by the recent heartbleed bug.  
Strong code can and does come out of small teams, including those of 
one or two people.  I would recommend rather than judging a the 
quality of a project by whether there is a "strong community of 
developers" or how the project is financially backed, you take a few 
minutes to look at the state of the source code. That isn't a deep 
audit, of course, but can give you a sense for the tastes and cares 
of the people behind the code.  Needless to say proprietary code 
which forbids such examination should be avoided, for this and other 
good reasons.