Oh come on, you can't seriously say that Erlang/OTP is good open source. It's mildly-good corporate open-source, that's not making it good open source in any way. But that's off-topic.
The thing is, code review is a necessary thing where the audience is large, the tool is critical, and the tooling (here, the compiler) doesn't give any warranty in term of code correctness.
Code review are important, but it's an human process, which have its own flows and inconsistence. That's no silver bullet, no more than static checking, strong typing, and test suites. If you want to warrant, you'll have to prove. If you want to prove, you'll have to take time and do it mathematically. This process would have killed any OSS project, that's simply not feasible.
Shit happens, man. That's no reason for protectionism, elitism, and OSS aristocracy. OSS is open and should stay open whatever it cost, period.
Moreover, even if this hole is big, environment has always been a real security hole in Unix. ksh, anyone ? Or worst: csh ? The situation has greatly improved since, and we have all rights to be disappointed to lost a security we all took for granted. That shouldn't make us forget the road we already crossed.
Why, after OTP has been open sourced the project got lots of reviews, bug-reports and bug-fixes and overall quality has been even more improved.
The same ideas works with crucial projects such as openssh. No one could count how many eyes was on the code to find a flaw in the code or a way to exploit.
btw, Erlang/OTP is so good, that nowadays when you are using your mobile, your data most probably at least once is going through an Ericsson hardware and an Erlang VM within it.
As for code review, almost every major project does it nowadays, you like it or not.
It is very good software, no doubt. Erlang wouldn't be so efficient without OTP. It's just a bad example of a good OSS project because it's not really a community project but more like "some guys from ericson which accepted some contributions and opened the code". It's like saying that the C# compiler is a good OSS project. It's a good project, sure, but not a good OSS one (yes, the C# compiler is now open source, and the code is amazing).
You want a good OSS project ? Take Gnome, take VLC, take Qt, take the libc^W^W^W, well not the libc. ;-)
You got the idea.
About code review, I persist in my point: it's a good practice, but we need this only because a code that pass the checks (compilation, analysis, tests) doesn't mean that this code works. There was an article about "security by being careful" but I don't find the url anymore. Shame.
Anyway, I'm a Ocaml believer and be assured that when your compiler can give you that level of assurance, you don't review the same: you know you're not half as good as the compiler to catch errors, and that's a damn good feeling.
The thing is, code review is a necessary thing where the audience is large, the tool is critical, and the tooling (here, the compiler) doesn't give any warranty in term of code correctness.
Code review are important, but it's an human process, which have its own flows and inconsistence. That's no silver bullet, no more than static checking, strong typing, and test suites. If you want to warrant, you'll have to prove. If you want to prove, you'll have to take time and do it mathematically. This process would have killed any OSS project, that's simply not feasible.
Shit happens, man. That's no reason for protectionism, elitism, and OSS aristocracy. OSS is open and should stay open whatever it cost, period.
Moreover, even if this hole is big, environment has always been a real security hole in Unix. ksh, anyone ? Or worst: csh ? The situation has greatly improved since, and we have all rights to be disappointed to lost a security we all took for granted. That shouldn't make us forget the road we already crossed.