ESR's "many eyes" quote in his "Linus's Law" is unmitigated bullshit. And Linux Torvalds should not be blamed for it, since it wasn't his law, ESR just named it after him to get attention. Hardly anyone actually reads code, and the few people actually qualified to find bugs by reading huge piles of buggy code dumped into the public domain when a company abandons it have much more important things to do with their time.

If the many eyes that Macromedia and Adobe paid to work full time on Flash couldn't prevent the need to push out Flash security patches several times a week, the code is fundamentally flawed far beyond the point that the few much less qualified people who might actually take their unpaid spare time to look at it are able to finally find and fix all the bugs.

The major browser developers have enough on their hands designing new open standards and writing and debugging new code, without having to spend any of their time burning their eyes and brains looking at free abandoned obsolete toxic waste code dumps. And ESR certainly isn't going to chip in and help them.

https://news.ycombinator.com/item?id=43133598

>He made up the ridiculous "many eyes" quote himself, then misnamed it "Linus's Law" to avoid personal responsibility and shift the blame to innocent Linus Torvalds, who never said such a stupid thing, and which HeartBleed and many other eyeballable bugs proved terribly wrong and misguided.

>About which the salty security expert Theo de Raadt famously said "Oh right, let's hear some of that "many eyes" crap again. My favorite part of the "many eyes" argument is how few bugs were found by the two eyes of Eric (the originator of the statement). All the many eyes are apparently attached to a lot of hands that type lots of words about many eyes, and never actually audit code."

https://en.wikipedia.org/wiki/Linus%27s_law

>In Facts and Fallacies about Software Engineering, Robert Glass refers to the law as a "mantra" of the open source movement, but calls it a fallacy due to the lack of supporting evidence and because research has indicated that the rate at which additional bugs are uncovered does not scale linearly with the number of reviewers; rather, there is a small maximum number of useful reviewers, between two and four, and additional reviewers above this number uncover bugs at a much lower rate.[4] While closed-source practitioners also promote stringent, independent code analysis during a software project's development, they focus on in-depth review by a few and not primarily the number of "eyeballs".[5]

>The persistence of the Heartbleed security bug in a critical piece of code for two years has been considered a refutation of Raymond's dictum.[6][7][8][9] Larry Seltzer suspects that the availability of source code may cause some developers and researchers to perform less extensive tests than they would with closed source software, making it easier for bugs to remain.[9] In 2015, the Linux Foundation's executive director Jim Zemlin argued that the complexity of modern software has increased to such levels that specific resource allocation is desirable to improve its security. Regarding some of 2014's largest global open source software vulnerabilities, he says, "In these cases, the eyeballs weren't really looking".[8] Large scale experiments or peer-reviewed surveys to test how well the mantra holds in practice have not been performed.[10]

>Empirical support of the validity of Linus's law[11] was obtained by comparing popular and unpopular projects of the same organization. Popular projects are projects with the top 5% of GitHub stars (7,481 stars or more). Bug identification was measured using the corrective commit probability, the ratio of commits determined to be related to fixing bugs. The analysis showed that popular projects had a higher ratio of bug fixes (e.g., Google's popular projects had a 27% higher bug fix rate than Google's less popular projects). Since it is unlikely that Google lowered its code quality standards in more popular projects, this is an indication of increased bug detection efficiency in popular projects.