US Government Studies Open Source Quality 165
anadgouda writes "US Department of Homeland Security has released a report on open source quality in an effort to study the security of open source. 31 popular open source packages were studied as part of this effort. From the article: 'Coverity's report, Stacking up the LAMP stack: a study of open source quality, was produced as part of a $1.24m, three-year DHS Science and Technology Directorate effort to evaluate and improve the security of open source.'"
So, (Score:5, Interesting)
Re:So, (Score:2)
Re:So, (Score:2)
I don't beleive they use it internally as it's still part of a research project, but it wouldn't be a bad place to start.
Yes (Score:5, Interesting)
Re:So, (Score:2)
Re:So, (Score:1)
Re:So, (Score:1)
Re:So, (Score:4, Interesting)
So far it's been mostly gentoo from what i've seen, but there are some places that have to use RedHat because their management said it has to have 'support.'
Bear in mind, however, that the places i'm interviewing are hardcore hacker groups, so this may be (and probably is) completely off the norm.
Re:So, (Score:2)
The need for official support is obvious, even if in reality it ends up being provided by the on site local admins. No need to write it down in quotes and roll our eyes. Official agencies have to have somebody accountable, it's part of justifying the spending of the public dollar.
As for Gentoo, sorry, but it makes little sense why anybody would choose i
Navy Replaced Sun with Yellow Dog Linux ... (Score:5, Interesting)
Re:So, (Score:2)
Ugh, it adds a bit of casualness to the sentence.
Re:So, (Score:1)
Fixed that for you.
Re:So, (Score:1)
Re:So, (Score:3, Funny)
Evaluate and Improve (Score:5, Insightful)
MOD PARENT DOWN (Score:4, Funny)
Re:MOD PARENT DOWN (Score:2, Interesting)
Re:Evaluate and Improve (Score:1)
Re:Evaluate and Improve (Score:1)
Re:Evaluate and Improve (Score:2)
So they submitted Bugs, Right? (Score:5, Interesting)
BBH
Re:So they submitted Bugs, Right? (Score:4, Funny)
Re:So they submitted Bugs, Right? (Score:2, Flamebait)
All software should be that good.
If they found bugs in Bind, I'm not iterested in the rest of the report. That's just pork.
RTFA (Score:4, Interesting)
Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.
Yes, the folks who ran the tests plan to submit their findings to the developers to help squash bugs.
Re:RTFA (Score:2)
Re:RTFA (Score:2)
I'm not sure this is a good thing for FLOSS. In military usage, "engage" means "fight", as in "We engaged the enemy at 09:00 and killed them all."
Re:RTFA (Score:2)
Re:RTFA - Now that's service! (Score:2)
How many closed-source applications would get this sort of helping hand?
Yes. (Score:2, Informative)
Re:So they submitted Bugs, Right? (Score:2)
The article seems to suggest that the authors want to help with processes, rather than individual bugs.
That seems like a much better long-term idea, especially if (and this seems likely) they analysed a sample of code.
If someone analyses 1000 lines of code from a 100000 line project, then they'll have a fairly good idea of what processes (e.g. audits, code reviews, patterns) can help the te
Re:So they submitted Bugs, Right? (Score:2)
Fan of Linux, not of Homeland Security (Score:4, Informative)
Re:Fan of Linux, not of Homeland Security (Score:2)
I'm sure if you looked at the lives of Stalin, Attilla the Hun, Saddam Hussein, and other despicable people you'd find that as bad as they were, they did *some* good. The opposite is true for Pope John Paul II, Ganhdi, and JFK.
My own philosophy is to praise people/companies/institutions when they're good (n
Re:Fan of Linux, not of Homeland Security (Score:2)
Re:Fan of Linux, not of Homeland Security (Score:2)
If someone has proven untrustworthy in the past, it's not wise to trust their promise about what they're going to do...bu
Re:Fan of Linux, not of Homeland Security (Score:2)
You must be new here.
Re:Fan of Linux, not of Homeland Security (Score:2)
And frankly, i find it pretty weird to think that an operating system or software development movement
Re:Fan of Linux, not of Homeland Security (Score:4, Interesting)
You can't really be that naive, can you? Take the OMB for example. There's a big debate [ombwatch.org] going on about whether OMB should use static scoring or dynamic scoring. It doesn't really matter which one you prefer, but I can tell you that in the current political climate it makes a *huge* difference. Democrats prefer static modeling because then they can argue against tax cuts. Republicans favor dynamic modeling to support a "trickle down" effect. But the idea that somehow OMB is neutral is ignoring reality. Even if they don't intend to favor one party or another, the fact is that there is no action that they can take that won't benefit one group or another.
Interesting that you should mention NASA. Their very existence depends on the support of the aerospace community and the regions of the country that benefit from NASA centers. They are very good at using their influence to get what they want. Even if you could claim that they don't favor one political party over another, they are still very skilled at using political influence to their advantage.
Re:Fan of Linux, not of Homeland Security (Score:2)
That aside, my point about casting linux with in a partisan political still stands. One might be able to cast open source software, in an anti-business light, but tha
Re:In what sense is the CBO a political animal? (Score:2)
The CBO was once asked to calculate the economic impact of taxing all income over $200K/year at 100%. They came back with an estimate that tax revenue would increase by several billion dollars. This ignores the reality that without a financial incentive, most people would stop working once they got to this level and that tax revenue would actually drop. Given this inform
Re:Fan of Linux, not of Homeland Security (Score:2)
Oh no too late
Re:Fan of Linux, not of Homeland Security (Score:3, Insightful)
Re:Fan of Linux, not of Homeland Security (Score:2)
I've been waiting several minutes now and have yet to be connected. Could you look into this for me? Also, I might suggest that you update your music-on-hold. I can only listen to "Rhinestone Cowboy [geocities.com]" just so many times.
Re:Fan of Linux, not of Homeland Security (Score:2)
Re:Fan of Linux, not of Homeland Security (Score:2)
Re:What the hell are you talking about? (Score:2)
What protest? It isn't a protest to point out political reality.
For what it's worth, I voted for GWB in both elections. I personally think that most of the New Orleans/Katrina coverage is sniveling. I recently sent email to my Congressional delegation telling them to pull their head out of their collective asses and stop hating people just because they're Arabs. Of course you probably just assumed that because I'd point out a current political controversy
Re:Fan of Linux, not of Homeland Security (Score:2)
Wouldn't that be UEA?
Their findings are as follows (Score:4, Funny)
The terrorists are cunning, they are secretive, and they will destroy us if they have their way. This world-wide "open source" terrorist movement must be deconstructed and eliminated. There is no other way to protect our Great Nation! We say to you, as the purveyors of truth and all that is good, avoid this "open source" and its proponents like the plague! They wish to destroy everything we hold dear. You, my good American, are the first line of defense. Report users of "open source" to the authorities. Gather any information on them that you can. You may even consider running their dastardly "software packages" in your own free time, so that you may come to know your enemy - for knowledge is the greatest tool that we have in this fight.
Stand proud, my fellow Americans, and beware this new emerging beast. It will surely be the end of us all if we do not take action now.
Quoted from President George W. Bush's State of the Nation Address, January 2007.
Digg Troll? (Score:1)
Where's the report? (Score:5, Insightful)
Re:Where's the report? (Score:1)
stanford will keep the database public... (Score:5, Informative)
from this TFA:
"Anti-virus vendor Symantec Corp. is providing guidance as to where security gaps might be in certain open-source projects."
PS:i am not sure if it has been published on
Re:stanford will keep the database public... (Score:2)
Meaningless categorization (Score:4, Insightful)
It'd be like saying: We studied the quality of software compiled with the Watcom 10.0 C++ compiler. "Open source" cuts across so many levels of skill and projects. You can pretty find projects that support (or destroy) whatever thesis you'd like to put forward
Even more, somebody pays for the development of the software, one way or another.
This artlice (from ONLamp) http://www.onlamp.com/pub/a/onlamp/2005/07/21/sof
--
graphicallyspeaking [kotay.com]
Re:Meaningless categorization (Score:3, Insightful)
Meaningful, actually. (Score:2)
That is perfectly logical. Software that comes OUT of a compiler should certainly be tested for quality. Watcom processes source code, and produces a resulting change, so it's valid to ask questions about that. Likewise, Open Source is a process, with its own unique qualities and product attributes. Also, it's an ALTERNATIVE process to the main ones used to develop software, so the idea of evaluating the different outcomes fro
Re:Meaningless categorization (Score:2)
That's not to say it's easy to study in a way that you can use to make decisions about open source product A and closed source product B, but it's far from impossible.
There's something missing (Score:1, Redundant)
Compare with... (Score:2, Interesting)
Re:Compare with... (Score:3, Insightful)
That made me laugh.
Re:Compare with... (Score:2)
What's good for the goose.. (Score:2, Interesting)
I wonder what "bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes" have been uncovered by looking at the source code of closed source softw... oh. wait. no source. heh.
This might well mean that open source software will, at some point in the future, be considered more secure and well-written than comparable commercial closed source software even by government or PHBs.
You have to wonder about the difference in "errors per thousand lines of codes"
Re:What's good for the goose.. (Score:1)
Open Source Software: Opportunities and Challenges (Score:5, Informative)
An interesting study was done by the U.S. Military (the Airforce, I believe) concerning Open Source and it's place in the department of defense, though it is written in such a way to be useful to non-military personnel and applications. It is a similar, yet IMHO, a more interesting read than the parent.
The report can be found as a PDF at [af.mil]http://www.stsc.hill.af.mil/crosstalk/2005/01/0501 Tuma.pdf [af.mil]
Re:Open Source Software: Opportunities and Challen (Score:1, Interesting)
What is normal? (Score:2, Insightful)
Does anyone have any factual data on what is "normal" (accepting all the problems of counting lines and bugs in the first place). I've seen estimates range from 2 to a 100 per 1000 lines.
Thanks for wasting a million bucks of our money (Score:1)
Wow (Score:2, Funny)
The envelope please
"LAMP "showed significantly better software quality" above the report's baseline with an average of
Wow, LAMP is a pretty damn high quality stack after all....gee thanks Captain Obvious, we didn't really need those tax dollars for anything anyways.
superb! (Score:5, Funny)
Re:superb! (Score:2)
.32 out of 1,000 lines of code? (Score:1)
Hmmmmmm.... Hey, I have a thought: if Microsoft does as it says and allows the Gov't to view it's code (without releasing it), should not this standard of examination be applied to Microsoft's software too so that we could have a better idea of just what level of quality we can expect from the private sector?
Re:.32 out of 1,000 lines of code? (Score:1)
I've no idea how many lines there are in Vista (or, for that matter, how you count them), but the rumours say that Windows XP is about 40M LOC.
Same Old Math Error (Score:2, Interesting)
So if LAMP open-source is simply more verbose than other kinds of open source, the number of bugs per line of code can go down? How about just adding a million lines of bug-free but totally bogus code to your project -- and completely winnin
Re:Same Old Math Error (Score:2)
If it were that easy to write a million lines of bug-free code, we'd all be doing it. Bogus code is *MORE* bug prone than application code. Why? Because it's never tested.
Sure, in theory, people could just add a bunch of lines with just semi-colons. However, in practice, the testing agency would notice this and come up with a screen. Anything more complicated than empty statements is prone to error.
Re:Same Old Math Error (Score:3, Interesting)
The real problem isn't bogus stats caused by line inflation. The real problem is that it only finds certain types of bugs. If a bug causes an incorrect result or improper behavior, but doesn't cause a memory leak or the like that crashes the program or system, then it isn't being found. It also isn't finding STUPID code - code that works but is ridiculously convoluted, slow, difficult to modify, redundant (writing 5000 lines of code to do some string manipulation and parsing that could be done just as ea
hypocrisy (Score:1)
If any MS (or should I say M$) product were to have been put in an article like that, the mobs would have screamed for Gates's head. However, since it is the all-powerful-silver-bullet-snake-oil open source, all I see are excuse makers and doubters. If anyone is to even take themselves seriously, they must be at least OPEN to the idea that something they believe in is not perfect,
non-hypocrisy (Score:2)
Well, at least it can be seen that there is overwhelming bias at slashdot.
- Saying that one race group is inferior to another constitutes a "bias": correct.
- Saying that some software is better than other software constitutes a "bias": incorrect
The two are not analogous. The flaw in your argument is the implicit assertion put forth that "all software is created equal" (so to speak) and that any preference of some software over another must therefore constitute a bias. Here's a cluestick for you: Softwar
SE-Linux (Score:2, Interesting)
One agency study.
1.5 million dollars spent.
How much did the NSA spend developing SE-Linux?
Must have cost more than 1.5 million. And that is now at the core of Linux.
Yes many in the US Government are aware that Open Source software rocks.
Impeach the Liar
Stamford University? You mean Stanford. (Score:3, Interesting)
Where's the Beef? (Score:3, Insightful)
No seriously! Where's this article? I'd imagine three years and 1.25 million dollars would produce a hefty article. I'd love to give it a read! "US Department of Homeland Security has released a report on open source quality"- so where's the release?
It cites one or two figures, and throws around lots of buzz-words, but there's no comparison? No information? No study of reliability? Nothing at all.
PS: As a side-note, if they 'studied' 15 million lines of code over three years, and were able to identify defects, shouldn't we be seeing a nice patchset coming from Coverity sometime soon... Think about it. It's easy to tell someone else to fix it, but a good part of OSS is giving back.
Re:Where's the Beef? (Score:2, Funny)
Certified USDA Prime Software (Score:2)
Re:Certified USDA Prime Software (Score:2)
It seems to me that both the DHS and the open source community would benefit from a broad discussion of how DHS can and should contribute, in particular if they are spending millions mayb
stupid article (Score:2)
This article is kind of dump. It compares LAMP to everything else FOSS.
I don't need that, I need to know how FOSS compares to Proprietary Software
Re:money? (Score:1)
Damn you didn't even read the f**kin summary!
Re:money? (Score:5, Insightful)
And I wonder how many more millions they can now save by using OSS, now that they know they can be more confident in its quality? Have you ever heard of the word "investment"?
Re:OSS Security depends on bugs being fixed (Score:4, Insightful)
Reminds me of when as a noob, I reported an error in a man page to a project mailing list, hoping somebody close to the project might pick it up and fix it. Nah, the response was: OK, write yourself a new man page.
That attitude still pervades most OSS projects. The result is open source is regarded as by geeks for geeks, and IMHO this, more than any perceived security risks, will keep it off the desktop for a long time yet. Sure, I see quite a few specialist applications coming thru now packaged for MacOS-X. Here's an example (names obscured to protect the ignorant): a multimedia application, gui built on GTK, equal to commercial products of several hundred dollars, well worthy of the suggested paypal donation. But it requires access to the Hardware Abstraction Layer, which is provided by a different oss project, whose raw binaries will do what's needed from the command line, but no gui interface yet, unless you build it, in Qt.
Security problems in OSS are multiplied by forking, and geekishness for its own sake.
Re:OSS Security depends on bugs being fixed (Score:3, Insightful)
What project was it? Is it anything we care about?
How about linking to your 'bug report' so that we can see this supposed reply?
That attitude still pervades most OSS projects.
What OSS projects are you referring to? Not all OSS projects are equal. You are generalising.
What evidence do you have of m
Re:OSS Security depends on people admitting a bug (Score:3, Insightful)
Advocates need to consider the many places in their lives where they purchase things rather than make or maintain them themselves - for many pe
Re:OSS Security depends on people admitting a bug (Score:4, Insightful)
I especially love the "Windows XP and office 2003 just worked" line. That's a rich one. Anybody who has actually worked with those technologies knows how much effort it takes to make them "just work".
I do think you have point about the incompatibilities of the office formats with other software. It's a well known fact that MS products use office formats to undermine other software. I think that people are finally wising up to this and pushing for ODF. Even MS has tried to make the default office format XML based so I think this problem will go away very soon.
What's interesting to me is how different office 12 looks from office 2003 (who the fuck came up with that versioning scheme?). It will be much easier to re-train employees from office 2003 to open office (which looks very similar) then to retrain employees to migrate from 2003 to 12. Office 12 looks and acts radically different then what people are used to.
Re:OSS Security depends on people admitting a bug (Score:1)
Actually, if you're not the one spending the effort, there's no way to tell. For the average corporate user, the above is true because they've no idea how much effort took the IT stuff to make it work. From their point of view, it just works.
Re:OSS Security depends on people admitting a bug (Score:2, Interesting)
Also, I agree with the comment about the FUD mobile appearing.
I have no problems finding a local community college with Linux classes. I actually took one a few years ago as part of my associate's degree. You may want to try searching for UNIX instead, as Colleges usually keep old names around. The class I took was actually called UNIX Concepts, but was actually taught on Red Hat Linux.
See
EET 175 Network Operating Systems
EET 208 UNIX Conc
Re:OSS Security depends on people admitting a bug (Score:1)
Sometimes posts are deserving of the flames they attract.
"free software is NOT always the best solution for every problem, especially when it comes to security"
The start and end of your rant suggested you had some issue wi
Re:OSS Security depends on people admitting a bug (Score:2)
How much do you get paid for an 'astroturf' post like that? (You're not very good at it though ... the whole formulaic "pretend to be an OSS advocate" to score mod points, it's like you pulled it from a marketing 101 textbook.)
Re:OSS Security depends on people admitting a bug (Score:2)
Actually, there are (more than) a few of us in that Geek Squad who would be perfectly happy providing Linux support. It'll probably never happen... it's great that there are those of us who are technically li
Re:OSS Security depends on people admitting a bug (Score:4, Interesting)
.... you say this [the above], the procede to make an argument based solely on funcitonality and support of software packages available. Do you have anything to back up your initial statement there, that non-Open software is somehow better for applications that require "security" (a vague term at best, in this context, I think - are you talking security against networked crackers, automated worm attacks, attempts to de-crypt encrypted data ... )? I'm not trying to "flame" you, but you don't support the your statement at all in your post, and I honestly can't think of an instance where proprietary or closed source software is "more secure" than F/OSS...
You should move to where there's a better community college - I think it may even be safe to use the word "most" when describing how many schools there are across the country now that are teaching Linux, FreeBSD, or both. Are you saying your school doesn't offer it, or that you can't take it for some other reason?
As a sidelight, note that many schools that have recieved endowments from M$ (thru one channel or another) have magickally dropped the course-work they once had that didn't require the purchase (at a student discount, of course) of M$ products - if that's what's going on at your school, you might want to address it with your administration - after all, when you're paying for an education, they're defrauding you if they don't give you what you pay for - regardless of what M$ is paying them (under the table) not to teach you....
Not sure just what sector of the real world you're talking about, here, but *I* won't hire you if you don't understand operating systems generally (we're talking critical embedded systems here - the stuff that's going to outlive the users who are thinking they need a "new" obsolete PC), and have some skill with anything that can be called one. "Platform Independance" and "Language Independant" aren't just test questions in the Real World outside Microsoft Applications Land - a rich and profitable land to be sure, but nothing grows there so all [brain] food must be imported, and life expectancy is pretty short generally due to contaminated memepools, rarified atmospheres, and the mind numbing depressions induced by the incredibly bleak cyberscapes...)
Anyway - all that said, I do agree with you about support for F/OSS - it is overall diffcult to access, often hard to understand, and generally just unusable for those who are not already to some degree techinical initiates. And that does need to change. Imo.
Re:OSS Security depends on people admitting a bug (Score:2)
First, what does CAD have to do with security? What does the number of users of Autodesk or Solidworks have to do with anything in this discussion? And, just as an aside, the last time I looked, DXF formats where supported by most CAD vendors, open or closed source.
Now, OpenOffice may not be as productive as Microsoft Office. Is your claim that this is due to bugs in OpenOffice? Further, is your claim that the cause of these bugs is because OpenOffice is an o
Re:This report is a GOOD thing! (Score:1)
Re:only europe can fix america. (Score:2)
In the short term, closed source is useful because when your code first hits the network no one knows much about the internals, there are no known holes, and finding holes is difficult. Open source is open to immediate and sophist
Plenty missed here. (Score:2)
All the apps on my machine are open source (except windows itself), and where the apps go.... Eventually so will the OS. It's just gonna take a lot longer. The app war isn't even fully finished yet. Look at Gimp/Photoshop. They are still kind of duking it out, but gimp is the inevitable winner, and a few graphics profs already realise that and are jumping ship, if for no other added insentive than savi