US Government Studies Open Source Quality 165
anadgouda writes "US Department of Homeland Security has released a report on open source quality in an effort to study the security of open source. 31 popular open source packages were studied as part of this effort. From the article: 'Coverity's report, Stacking up the LAMP stack: a study of open source quality, was produced as part of a $1.24m, three-year DHS Science and Technology Directorate effort to evaluate and improve the security of open source.'"
So, (Score:5, Interesting)
So they submitted Bugs, Right? (Score:5, Interesting)
BBH
Compare with... (Score:2, Interesting)
What's good for the goose.. (Score:2, Interesting)
I wonder what "bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes" have been uncovered by looking at the source code of closed source softw... oh. wait. no source. heh.
This might well mean that open source software will, at some point in the future, be considered more secure and well-written than comparable commercial closed source software even by government or PHBs.
You have to wonder about the difference in "errors per thousand lines of codes" metric though. Does one project use
int a;
a = 5;
and the other
int a=5;
?
Yes (Score:5, Interesting)
RTFA (Score:4, Interesting)
Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.
Yes, the folks who ran the tests plan to submit their findings to the developers to help squash bugs.
Re:Fan of Linux, not of Homeland Security (Score:4, Interesting)
You can't really be that naive, can you? Take the OMB for example. There's a big debate [ombwatch.org] going on about whether OMB should use static scoring or dynamic scoring. It doesn't really matter which one you prefer, but I can tell you that in the current political climate it makes a *huge* difference. Democrats prefer static modeling because then they can argue against tax cuts. Republicans favor dynamic modeling to support a "trickle down" effect. But the idea that somehow OMB is neutral is ignoring reality. Even if they don't intend to favor one party or another, the fact is that there is no action that they can take that won't benefit one group or another.
Interesting that you should mention NASA. Their very existence depends on the support of the aerospace community and the regions of the country that benefit from NASA centers. They are very good at using their influence to get what they want. Even if you could claim that they don't favor one political party over another, they are still very skilled at using political influence to their advantage.
Re:MOD PARENT DOWN (Score:2, Interesting)
Re:Open Source Software: Opportunities and Challen (Score:1, Interesting)
Same Old Math Error (Score:2, Interesting)
If I remember correctly Coverity has been discussed on slashdot previously and they used the same diseased statistical thinking back then, too.
Re:So, (Score:4, Interesting)
So far it's been mostly gentoo from what i've seen, but there are some places that have to use RedHat because their management said it has to have 'support.'
Bear in mind, however, that the places i'm interviewing are hardcore hacker groups, so this may be (and probably is) completely off the norm.
Re:OSS Security depends on people admitting a bug (Score:2, Interesting)
Also, I agree with the comment about the FUD mobile appearing.
I have no problems finding a local community college with Linux classes. I actually took one a few years ago as part of my associate's degree. You may want to try searching for UNIX instead, as Colleges usually keep old names around. The class I took was actually called UNIX Concepts, but was actually taught on Red Hat Linux.
See
EET 175 Network Operating Systems
EET 208 UNIX Concepts
at <a href="https://www.owens.edu/cgi-bin/courses.pl">O
Re:OSS Security depends on people admitting a bug (Score:4, Interesting)
.... you say this [the above], the procede to make an argument based solely on funcitonality and support of software packages available. Do you have anything to back up your initial statement there, that non-Open software is somehow better for applications that require "security" (a vague term at best, in this context, I think - are you talking security against networked crackers, automated worm attacks, attempts to de-crypt encrypted data ... )? I'm not trying to "flame" you, but you don't support the your statement at all in your post, and I honestly can't think of an instance where proprietary or closed source software is "more secure" than F/OSS...
You should move to where there's a better community college - I think it may even be safe to use the word "most" when describing how many schools there are across the country now that are teaching Linux, FreeBSD, or both. Are you saying your school doesn't offer it, or that you can't take it for some other reason?
As a sidelight, note that many schools that have recieved endowments from M$ (thru one channel or another) have magickally dropped the course-work they once had that didn't require the purchase (at a student discount, of course) of M$ products - if that's what's going on at your school, you might want to address it with your administration - after all, when you're paying for an education, they're defrauding you if they don't give you what you pay for - regardless of what M$ is paying them (under the table) not to teach you....
Not sure just what sector of the real world you're talking about, here, but *I* won't hire you if you don't understand operating systems generally (we're talking critical embedded systems here - the stuff that's going to outlive the users who are thinking they need a "new" obsolete PC), and have some skill with anything that can be called one. "Platform Independance" and "Language Independant" aren't just test questions in the Real World outside Microsoft Applications Land - a rich and profitable land to be sure, but nothing grows there so all [brain] food must be imported, and life expectancy is pretty short generally due to contaminated memepools, rarified atmospheres, and the mind numbing depressions induced by the incredibly bleak cyberscapes...)
Anyway - all that said, I do agree with you about support for F/OSS - it is overall diffcult to access, often hard to understand, and generally just unusable for those who are not already to some degree techinical initiates. And that does need to change. Imo.
SE-Linux (Score:2, Interesting)
One agency study.
1.5 million dollars spent.
How much did the NSA spend developing SE-Linux?
Must have cost more than 1.5 million. And that is now at the core of Linux.
Yes many in the US Government are aware that Open Source software rocks.
Impeach the Liar
Stamford University? You mean Stanford. (Score:3, Interesting)
Navy Replaced Sun with Yellow Dog Linux ... (Score:5, Interesting)
Re:Same Old Math Error (Score:3, Interesting)
The real problem isn't bogus stats caused by line inflation. The real problem is that it only finds certain types of bugs. If a bug causes an incorrect result or improper behavior, but doesn't cause a memory leak or the like that crashes the program or system, then it isn't being found. It also isn't finding STUPID code - code that works but is ridiculously convoluted, slow, difficult to modify, redundant (writing 5000 lines of code to do some string manipulation and parsing that could be done just as easily and efficiently using a RE library, or use lex, or some other straightforward solution - I've seen code that re-implemented several of the standard library string routines, and to add insult to injury, did it poorly and with a memory leak - at least these guys would have found the memory leak, but their solution would probably be to fix the leak, not toss the whole routine). C++ programmers seem to do this kind of thing particularly often, although many "object oriented" programmers can screw things up in multiple languages with equal facility.