Many eyes caught this, this was found within the community.. A community that was not as big in the early to mid 1990's as it is now..
Although it's hardly a serious problem now, this really goes to confirm my suspicion that the security benefits of open-source software are in many cases - not all, but many - largely theoretical.
The turnaround time on bugs in the OSS community is huge. And consider you talking about elm an email client almost nobody uses. If we got a notification about every vulnerability in the closed source world I think you would see OSS stacks up quite nicely.
I think the reality is that, in most cases, very few people beyond the actual author bother to read/audit the code for the open-source software they use.
Heres the think, most projects have more than one author if OSS code is written in a UNIX like philosophy and is useful it quickly develops a large development community that will survive the loss of the initial author..
And it only took them two decades to track it down. C'mon, let's be honest for a minute - that bug has been there for years, including the entire time people were actually using elm, and nobody caught it. Yes, it's not as big now, but back when it was big, this bug was undetected, and remained undetected, despite the fact that the source has been available from the beginning.
The turnaround time on bugs in the OSS community is huge.
I think not - I do not think that it is possible to make such a sweeping judgement about the "community". I think that, within that community, the turnaround time for large, high-profile projects - the Linux kernel, Mozilla, a few others perhaps - is quite decent. I also think that for every project like that, there are a hundred smaller, less high-profile projects within the comunity, that are basically operating in obscurity, and where the code is not usually given a serious examination by anyone other than the authors. And not to put too fine of a point on it, but it doesn't matter at all how fast bugs get fixed in the kernel if they hang around forever in elm, or sendmail, or the finger daemon, or whatever - the success of one does not obviate the failure of the other.
Heres the think, most projects have more than one author if OSS code is written in a UNIX like philosophy and is useful it quickly develops a large development community that will survive the loss of the initial author..
Okay, great. So when the original author gets hit by a crosstown bus, at that point someone else will start looking at the code. Why don't I find that comforting? ;)