"Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security. Popular open source projects, such as Samba, the PHP, Perl, and Tcl dynamic languages used to bind together elements of Web sites, and Amanda, the popular open source backup and recovery software running on half a million servers, were all found to have dozens or hundreds of security exposures and quality defects. A total of 7826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006, according to David Maxwell, open source strategist for Coverity, maker of the source code checking system, the Prevent Software Quality System, that's being used in the review." Note: I just want to state for the record that the headline has not been written by me. I do like the total kicking-in-open-doors air surrounding it, though.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-06
And if it were a commercial product they would have been royally screwed. Ring up the company then pray that the actual problem is fixed rather than simply be told, "here is a work around, the problem won't be solved until months later (or the next release)".
You either have flexibility or perceived 'teh cheapness'. The fact is, if the DHS refuses to work with the community of security issues, how is it the problem of open source that they, the DHS, spent 1500 or so man hours on something that could have been avoided? why not setup security audit groups consisting of DHS IT personal and vendors to improve quality?
The whole point of open source is community; the fact that IT is a cost centre within a company, working together with other companies and organisations should not be an issue - you make no money from software, the fact that work with others on fixing common issues isn't going to lead to loss of competitiveness - so there are no excuses as to why it isn't possible.
To me it seems that businesses still live in an era where they're an island - where they can't seem to get their head around the idea of working with companies on common issues which all face, whilst at the same time still competing with each other in the product sphere.
Member since:
2005-07-06
I think the news is not that there are actual bugs in OSS but that the department of Homeland Security has spent 1562 man(person) hours fixing them.