More eyeballs please, nom nom

It’s always a little disturbing getting a peek inside the sausage factory, especially when it comes to software and developers I have irrational faith in – like any project involving cryptography. We would all like to believe that “given enough eyeballs, all bugs are shallow,” and that open sourcing your software means you can have as many eyeballs as you like.

This quote from Theo De Raadt in reply to a question about the alleged IPSEC backdoor reminded me uncomfortably of the reality of open source:

> where would you start auditing the code? It’s just too much.

Actually, it is a very small part of the tree. If we all do our part, it will get better. It still won’t be perfect. It is just too big.

For some reason, this exchange shocked me – the IPSEC code in BSD is simply too large to review every line given the number of developers they have. But… but… it’s… cryptography… Yes, Valerie, there is no Santa Claus!

This reminds me of something I’ve been worrying about for a while: the VFS could use more eyeballs. Al Viro and Christoph Hellwig are absolutely heroic developers who work way too hard, but the volume of work they have to deal with is just too big for two human beings. Right now, outstanding patch sets to the VFS include Nick Piggin’s VFS scaling work, David Howells’ d_automount() rewrite, and union mounts.

Exercise for the reader: How do we attract more developers to the VFS?