Linked by Thom Holwerda on Wed 9th Jan 2008 22:34 UTC, submitted by vermaden
"Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security. Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects. A total of 7826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review." Note: I just want to state for the record that the headline has not been written by me. I do like the total kicking-in-open-doors air surrounding it, though.
Thread beginning with comment 295136
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Award me a captain obvious tag
by leos on Wed 9th Jan 2008 23:24
in reply to "RE: Award me a captain obvious tag"
Member since:2005-09-21
Without arguing for either side of the fence. The argument goes that more eyes make bugs shallow. More people read and check prominent code from open source projects, so there is a higher probability to find bugs.
Of course, in practice it highly depends on the project. While "the more eyes make bugs shallow" mantra works for open source projects with a high number of developers, it may not apply to projects with few developers.
Of course, in practice it highly depends on the project. While "the more eyes make bugs shallow" mantra works for open source projects with a high number of developers, it may not apply to projects with few developers.
I would say the results support the "more eyes" argument. The active projects with many contributors (like the linux kernel or libc) have far fewer than 1 bug/1kloc. Of course without a comparison to a comparable closed source system it's difficult to tell whether that is a good result or not.
RE[3]: Award me a captain obvious tag
by noamsml on Thu 10th Jan 2008 11:38
in reply to "RE[2]: Award me a captain obvious tag"
Member since:2005-07-09
RE[2]: Award me a captain obvious tag
by robertojdohnert on Thu 10th Jan 2008 15:08
in reply to "RE: Award me a captain obvious tag"
Member since:2005-07-12
That statement is fine and it was created by Eric Raymond. I disagree with it. Performance bugs, bugs that cause software not to function properly sure, the statement holds water but if security holes were the same then that test would show NO security holes in open source software. Coding with security by design takes a specialist, someone who knows what they are looking for.
You may argue that Linux and Open Source are superior to proprietary software security wise. It may have that perception but look at the userbase, or lack of, and the fact that Linux "inherits" a lot from UNIX which was a system designed from with security in mind.
Member since:
2005-11-18
Without arguing for either side of the fence. The argument goes that more eyes make bugs shallow. More people read and check prominent code from open source projects, so there is a higher probability to find bugs.
Of course, in practice it highly depends on the project. While "the more eyes make bugs shallow" mantra works for open source projects with a high number of developers, it may not apply to projects with few developers.
Additionally, it should be pointed out that Coverity's software does static analysis. It does not uncover (security) bugs that can not be detected with static analysis.