And it only took them two decades to track it down. C'mon, let's be honest for a minute - that bug has been there for years, including the entire time people were actually using elm, and nobody caught it. Yes, it's not as big now, but back when it was big, this bug was undetected, and remained undetected, despite the fact that the source has been available from the beginning.
The turnaround time on bugs in the OSS community is huge.
I think not - I do not think that it is possible to make such a sweeping judgement about the "community". I think that, within that community, the turnaround time for large, high-profile projects - the Linux kernel, Mozilla, a few others perhaps - is quite decent. I also think that for every project like that, there are a hundred smaller, less high-profile projects within the comunity, that are basically operating in obscurity, and where the code is not usually given a serious examination by anyone other than the authors. And not to put too fine of a point on it, but it doesn't matter at all how fast bugs get fixed in the kernel if they hang around forever in elm, or sendmail, or the finger daemon, or whatever - the success of one does not obviate the failure of the other.
Heres the think, most projects have more than one author if OSS code is written in a UNIX like philosophy and is useful it quickly develops a large development community that will survive the loss of the initial author..
Okay, great. So when the original author gets hit by a crosstown bus, at that point someone else will start looking at the code. Why don't I find that comforting? ;)