On Tuesday, code-analysis software maker Coverity announced that its automated bug finding tool had analyzed the community-built operating system FreeBSD and flagged 306 potential software flaws, or about one issue for every 4,000 lines of code. The low number of flaws found by the system underscores that FreeBSD's manual auditing by project members has reduced the vulnerabilities in the operating system, said Seth Hallem, CEO of Coverity.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:Remember that it was you that setup the standard of proof with this precise but (based on your backing down) "buggy" sentence, directly quoted, and you didn't provide a qualifier that it was for AIX/BSD or operating systems code:
"Open source apps definitely have fewer statically identifiable problems than does proprietary software."
It is important to remember that even though a lot of people that read OS News can't program their way out a of a virtual wet paper bag, many of the readers of OS News (they must read it for the same reason that people slow down and gawk at fatal car wrecks along the highway!) use language precisely for a living, whether it is human or computer language. Perhaps next time you will do a static check of your prose for semantics before you press the "Submit comment" button in the page 
Member since:
2005-07-08
The basis of my comparison is that both codebases (FreeBSD and AIX) are UNIX-like kernel/userland systems. I could not possibly provide evidence to suggest that proprietary software is in general buggier than open source software if you are holding me to this standard of proof. What I can say is that there are only so many major proprietary UNIX systems in active development today. I would go so far as to say that the only remaining ones are AIX and HPUX, since Solaris has already been extensively prepared for open sourcing. Therefore, comparing FreeBSD to AIX is a fair and representative comparison of open source and proprietary UNIX-like operating systems. I would imagine that HPUX would be on par with AIX at best, especially given HP's commitment to their enterprise UNIX business.
The impact of static analysis on open source software is huge, and the simple reason is: these projects cannot afford to execute large-scale runtime integration, functional verification, and stress testing. Static analysis is extremely cheap in comparison. For proprietary purposes, static anaylsis is just one more item in the QA toolbox. I'm aware of two customer-reported failures in the past 5 years that could have been avoided if IBM had used static anaylsis on those releases of AIX (both resulting from an uninitialized variable). IBM finds nearly every conceivable problem in runtime testing regardless of static analysis. Without access to powerful parallel testing labs, open source projects must embrace static analysis, which is why they eliminate so many of these kinds of errors (and why proprietary development teams can often afford not to care).