Linus's Law

Linus's Law is the aphorism "given enough eyeballs, all bugs are shallow," coined by Eric S. Raymond in his 1999 essay and book The Cathedral and the Bazaar and named in honor of Linus Torvalds. Raymond's more formal statement runs: given a large enough base of beta-testers and co-developers, almost every problem will be characterized quickly and the fix will be obvious to someone qualified. The law is a claim about Raymond's own observations of open source development, not a principle Torvalds himself articulated. The argument sits at the heart of Raymond's "bazaar model" of software production. In the closed cathedral model a small team carefully builds a release; in the bazaar model, source code is published early and often, and a wide community of users and developers concurrently reads, tests, and patches it. Raymond's contention was that this parallel scrutiny finds and fixes defects faster than any closed proprietary team could, because each bug tends to be obvious to at least one reviewer in a large enough pool. The framing helped popularize open source as a viable engineering methodology during the late 1990s. Empirically the record is mixed. The canonical counter-examples are the Heartbleed bug in OpenSSL (disclosed April 2014, present roughly two years in code running on a large fraction of public web servers) and Shellshock (Bash vulnerability) (disclosed September 2014, present in GNU Bash for about 25 years). Both lived in extremely widely deployed, fully open code yet went undetected by the supposed mass of eyeballs. Linux Foundation director Jim Zemlin's summary was that "the eyeballs weren't really looking." Software researcher Robert Glass has called the law a fallacy, observing that the marginal value of additional reviewers drops sharply past a small number. The usual qualification is that eyeballs must be both motivated and competent. Publishing source code is necessary but not sufficient; without funded maintainers, security-literate reviewers, and incentives to audit unglamorous infrastructure code, visibility does not translate into review. OpenSSL at the time of Heartbleed had only a couple of full-time contributors maintaining roughly half a million lines of security-critical code. Note that a separate, unrelated claim is sometimes also called "Linus's Law": a Torvalds aphorism from the 2001 book The Hacker Ethic classifying human motivations as survival, social life, or entertainment. It has nothing to do with bug-finding. Linus's Law (the Raymond version) is also commonly discussed alongside Brooks's Law — Fred Brooks's observation that adding manpower to a late software project makes it later — as one of the durable aphorisms of software engineering.