Slashdot Mirror

chrysrobyn asks: "Every write-up I see about journalling file systems under Linux discusses efficiency (embedded) or speed (desktop/server). Have any studies been done on reliability? I've used Linux since Slackware 96 (and kernel 2.0.0), and put it on 9 or 10 machines over the years (Slackware on x86 and Debian on PPC), but I've never strayed from ext2. Always, when the uptime gets high, 20-50 days, the filesystems start to get minor fsck errors. Not that I repair the system and expect it to stay live, I just use the fsck -n to help me decide when a repair is in order. Since the same thing has happened on a variety of hardware (386-PII and every interface in between and 601 and 750 processors with Apple hardware), I'm leaning on blaming the ext2 filesystem for these, the slightest of problems. I typically keep my servers up for as long as possible because 95% of my hardware problems have happened during resets and cold power-ups. It's time for my every-other-year rebuild of my personal server, with another on its way, so I was hoping to incite some anecdotal Slashdot conversation on the journalling file systems available for Linux. Personally, I'm most interested in hearing about the file systems supported under Debian stable for ease of administration for this machine which is a 5 hour drive away from home. I've been around the block a few times, so I'm not fearful of patching the kernel with better patches, but I'm respectful of the work the Debian assurance teams have done."

heretic108 writes "From first boot to full desktop in 20 minutes! Knoppix has shot into the spotlight as a GNU/Linux distro suitable for demonstrating quality Open Source Software, standing out for its ability to self-configure itself into a vast range of hardware, and to run entirely off a CD boot without interfering with any existing system setup. That, plus its fat catalogue of pre-installed desktop software. But OSS enthusiast David McNab has poked a bit deeper, and found that Knoppix can install itself to disk, resulting in a completely configured GNU/Linux desktop system, ready to use, in 20 minutes, hassle free. CD no longer needed! Best of both worlds - use as a GNU/Linux demo disk, and if the user likes it, it's a snap to install permanently. I can't think of any distro that comes close to this, for ease and speed of setup. I found McNab's short Knoppix Installation Howto which gives a very brief and easy guide. With this rapid setup ability, Debian-based Knoppix makes a great contribution to the catalogue."

steveha writes "Colin Walters announced that GNOME 2 will go into Sid (the unstable branch of Debian) this Sunday. Good experimental packages have been available for a while, but there wasn't any upgrade from GNOME 1.x; you lost all your settings. Now there are transition scripts, and the Debian GNOME 2 developers would like people to test the transition scripts as much as possible before Sunday... to quote Colin Waters, '...if you haven't helped us out by testing them already, then you will be forced to anyways this Sunday :)'"

steveha writes "Colin Walters announced that GNOME 2 will go into Sid (the unstable branch of Debian) this Sunday. Good experimental packages have been available for a while, but there wasn't any upgrade from GNOME 1.x; you lost all your settings. Now there are transition scripts, and the Debian GNOME 2 developers would like people to test the transition scripts as much as possible before Sunday... to quote Colin Waters, '...if you haven't helped us out by testing them already, then you will be forced to anyways this Sunday :)'"

MrOutlander writes "The Debian Project is now officially addressing its usability on the desktop with the launch of the Debian Desktop subproject. Great to see usability being recognized as a very important part of debian. Other than the sometimes daunting install process, Debian is one of the best linux distributions."

jdaily writes "In light of recent negative reviews of Debian in which the installer was roundly criticized, this announcement may have particular timeliness and relevance: Progeny has made available an i386 Debian 3.0 (woody) installer image based on PGI, the Progeny Graphical Installer. This is available at Progeny's free software archive." I've installed Debian so many times that I've just learned to cope with the installer, but this is a much needed boost.

Col. Klink (retired) writes "BitKeeper's new EULA forbids working on the competition. Larry McVoy has told Ben Collins that he can't use BK because he works on subversion (a free revision control program). In fact, you can't use BitKeeper if you OR your company have anything to do with competing software. Free Software advocates who were upset when Linus decided to use non-Free software now have the opportunity to say 'I told you so.'"

lagc writes "In this message to debian-devel, Andreas Tille present the slides he will use in his talks on LinuxDays Luxembourg event. The first explains the structure, motivations e advantages of Debian Internal Projects (Debian-Junior, Debian-Med, Debian-Edu and Demudi for now), the second presents the Debian-Med distribution. That is: Debian is the solid base for specialization in the Free Software World."

lagc writes "In this message to debian-devel, Andreas Tille present the slides he will use in his talks on LinuxDays Luxembourg event. The first explains the structure, motivations e advantages of Debian Internal Projects (Debian-Junior, Debian-Med, Debian-Edu and Demudi for now), the second presents the Debian-Med distribution. That is: Debian is the solid base for specialization in the Free Software World."

lagc writes "In this message to debian-devel, Andreas Tille present the slides he will use in his talks on LinuxDays Luxembourg event. The first explains the structure, motivations e advantages of Debian Internal Projects (Debian-Junior, Debian-Med, Debian-Edu and Demudi for now), the second presents the Debian-Med distribution. That is: Debian is the solid base for specialization in the Free Software World."

Bill Kendrick writes "There's been an announcement on debian-devel-announce about a new subproject, DebianEdu, which "aims to make Debian the best distribution available for educational use." As a developer with some stuff in Debian Jr., I'm happy to see some focus on an honest-to-goodness education project!"

Bill Kendrick writes "There's been an announcement on debian-devel-announce about a new subproject, DebianEdu, which "aims to make Debian the best distribution available for educational use." As a developer with some stuff in Debian Jr., I'm happy to see some focus on an honest-to-goodness education project!"

eyez writes "Apparently, the recent decision of OPN(now freenode) to ask for donations has ruffled the feathers of a few debian people. This article on DebianPlanet talks about the current discussion on the debian mailing lists which talks about the possibility of moving #debian (and #debian*) off of OPN altogether."

solferino writes: "Anthony Towns has posted a fairly detailed 'retrospective' on the release of woody and an 'introspective' on the future release of sarge." This is a long, informative read for anyone interested in how the complicated Debian release process plays out behind the scenes. ("Grep for 'realistic schedule'. Doh.")

emissary47 writes "The Debian Project is pleased to announce the release of Debian GNU/Linux version 3.0. Debian GNU/Linux is a free operating system, which now supports a total of eleven processor architectures, includes KDE and GNOME desktop environments, features cryptographic software, is compatible with the FHS v2.2 and supports software developed for the LSB. The Release Notes are available here."

emissary47 writes "The Debian Project is pleased to announce the release of Debian GNU/Linux version 3.0. Debian GNU/Linux is a free operating system, which now supports a total of eleven processor architectures, includes KDE and GNOME desktop environments, features cryptographic software, is compatible with the FHS v2.2 and supports software developed for the LSB. The Release Notes are available here."

Orre writes "This is an interesting article on why we should be interested in this non-commercial linux distribution. Some of the points: No lies, Suit-Free Zone, Apt-get. And by the way, Hewlett-Packard has chosen Debian to be their standard linux distribution."

Figuring you can never get too much Ian Jackson, Trevelyan writes: "Debian Planet has an interview with the long time Debian maintainer, and a former DPL, a current member of the technical committee and the author of dpkg. Also announced Debian GNU/Linux 2.2r7 released. In case some of you thought Debian won't be releasing anything this year =)"

Figuring you can never get too much Ian Jackson, Trevelyan writes: "Debian Planet has an interview with the long time Debian maintainer, and a former DPL, a current member of the technical committee and the author of dpkg. Also announced Debian GNU/Linux 2.2r7 released. In case some of you thought Debian won't be releasing anything this year =)"

Figuring you can never get too much Ian Jackson, Trevelyan writes: "Debian Planet has an interview with the long time Debian maintainer, and a former DPL, a current member of the technical committee and the author of dpkg. Also announced Debian GNU/Linux 2.2r7 released. In case some of you thought Debian won't be releasing anything this year =)"

An anonymous reader says "Mandrake's lastest community (spam) newsletter contains their explanation as to why they won't join in on UnitedLinux. Besides the obvious geek-fun of rolling their own distro, they claim that the underlying idea of UnitedLinux is based on a flawed comparison to the Unix world of the 80's. " I think the whole UnitedLinux thing is lame- the distros that want to be compatible already are. UL is just the 2nd tier distros trying to get attention and ink away from the "evil forces" in North Carolina. I'll just stick to the best distribution and watch the fun from afar ;)

fdsa writes "After a heated debate, and under some pressure by TransGaming, an 'intent to package' WineX from sourceforge CVS for (non-free) Debian has been withdrawn. The message provides a good summary of the recent Wine chaos, and notes how WineX is effectively under a different license than stated. Here's a mail from their CEO Gavriel State on the issue."

fdsa writes "After a heated debate, and under some pressure by TransGaming, an 'intent to package' WineX from sourceforge CVS for (non-free) Debian has been withdrawn. The message provides a good summary of the recent Wine chaos, and notes how WineX is effectively under a different license than stated. Here's a mail from their CEO Gavriel State on the issue."

fdsa writes "After a heated debate, and under some pressure by TransGaming, an 'intent to package' WineX from sourceforge CVS for (non-free) Debian has been withdrawn. The message provides a good summary of the recent Wine chaos, and notes how WineX is effectively under a different license than stated. Here's a mail from their CEO Gavriel State on the issue."

Marsala writes "Apparently Red Hat has filed two patent applications for stuff related to the TUX webserver. The patents are for Embedded Protocol Objects and Method and apparatus for atomic file look-up. One has to wonder (if their patents are granted) what their licensing terms will be.... free for open source, or a tool to try and screw other Linux distros?" As reported by Linux Weekly News.

SquadBoy writes "An international team set a new record for Internet performance by transferring the equivalent of an entire compact disc's contents across more than 7608 miles (12,272 km) of network in 13 seconds. The rate of 401 megabits per second achieved in transferring 625 megabytes of data from Fairbanks, Alaska to Amsterdam in the Netherlands is over 8000 times greater than the fastest dial-up modem."

Cardhore writes: "According to this article, Sun's and Wipro's developers are now working on Metacity, instead of Sawfish. Metacity and Sawfish are two window managers for the GNOME desktop, and Sun has decided to use Metacity over Sawfish for GNOME 2. This decision has been based on issues such as accessibility, maintainability of the code [1], documentation, multi-head support and a general eagerness from the community to commit to Metacity in the future." Here's a brief description of Garret LeSage's experience with Metacity, which is described here as a "boring window manager for the adult in you." Anyone with Metacity screenshots, please post below :)

andrew writes "Anthony Towns, Debian's Release Manager, posted this message regarding the status of the expected May 1st release of Woody made reference to in this slashdot story. In short, he says: "So, it's April 30th (for most of the planet, anyway), which probably means folks are beginning to get mildly curious about whether woody'll actually be ready for release tomorrow. The answer is a definite 'kind-of'. Which is to say, 'no'.""

Tonight's Slashback includes updates on the state of MPlayer, Google's API release, DIY backyard transportation, and (thanks to politech) the "hidden camera" bill. Oh, and apparently, Mars is not the lush, green paradise you thought it might be. Read on for the details.

But what about the nude Russian girls who apparently need me? happyclam writes: "The text of the "hidden camera" bill has been posted at politechbot.com. Although we have already beat this one to death, I found the actual bill worth reading. One thing that had not been mentioned is that it allows for civil and criminal liability for spammers who email sexual advertisements without proper markings. Although I still prefer positive labeling (e.g. "kid-safe(tm)") to negative labeling (e.g. "socially questionable"), this bill does, I think, have a few good points to it. Read it."

DVDs want to be free. An Anonymous Coward writes: "According to this email and the latest news the mplayer source code is finally 100% GPL compliant. Maybe an official Debian package will finally be released as well instead of the marillat release. Work on integrating the open source Xvid MPEG4 codec is coming along nicely as well."

Gravity always wins, but likes to play. mzdial writes: "On March 14 you did a piece on this Southern Indiana's man love of roller coasters and how he created his own in his backyard! The Indianapolis Star has done a wonderful story with video and photos about this wonderful contraption. You can find the article here."

They're greedy for hits. ruvreve writes "A follow-up to the recent article about Google's release of an API. This article talks about the apparent success of releasing the API. It mentions that about 10,000 people have signed up and they have received 25 implementations in the first week. It goes on to talk about how Google needs to capitalize on the ability to provide a 'profitable' web service and maintain its position as the number-one search engine."

Chasing green, wet shadows. young-earth writes "In a disappointing followup to this story, an article on astronomy.com shows that what was thought to be chlorophyll on Mars found in the Pathfinder expedition was most probably artifacts of the processing model used. However future missions will profit from the work being done now: "...developing new methods to enable future rovers to select appropriate targets on the martian surface for further spectroscopic or close-up microscopic examination". So maybe in another mission..."

Daniel Stone writes "In results released by Project Secretary Manoj Srivastava today, Bdale Garbee was elected Project Leader ahead of Raphael Hertzog and Branden Robinson. Congratulations Bdale! And no CmdrTaco, the debs are not (quite) yet ready, but they *are* very close." The elections page has more information.

Daniel Stone writes "In results released by Project Secretary Manoj Srivastava today, Bdale Garbee was elected Project Leader ahead of Raphael Hertzog and Branden Robinson. Congratulations Bdale! And no CmdrTaco, the debs are not (quite) yet ready, but they *are* very close." The elections page has more information.

dex@ruunat noted that this morning, in a message to the debian-devel-announce mailing list, Anthony Towns, Debian's Release Manager, wrote: "I'm becoming increasingly confident in woody's release readiness. So, to go out on a limb: Debian 3.0 (codenamed woody) will release on May 1st, 2002." Congrats to all the debheads putting this thing together. I have a blank CDR waiting ;)

Erich writes "Debian Developer Simon Richter announced in this posting to debian-devel that he Intends to Package (ITP) a R00tk1t for Debian Linux. The rootkit will make use of debian mechanisms such as diversions to divert the original /bin/ls commands and replace them cleanly by the modified versions. Even reinstalling or upgrading the file-utils package (containing /bin/ls) will then not remove the modified /bin/ls and the rootkit will stay active, being probably the first upgrade-resistant rootkit! This rootkit will then be easy to install by doing "apt-get install rootkit" - a major useability aspect for our fellow wannabe-hackers, making Debian the premier choice for them."

robstah writes: "Bart Bunting, a Debian developer has won two gold medals in the 2002 Paralympics games. This story at Debian Planet has more information. I think we should commend Bart for his excellent achievement and wish him luck for the future."

evil_one writes: "Debian Planet is reporting that the official announcement has gone out regarding Debconf 2002. It's going to be held July 6-8th , making it rather convenient for anyone who wants to attend the Ottawa Linux symposium this year."

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

GlobalEcho writes: "Developers associated with Darwin are beginning to think about package management and source building. At issue is whether something like dpkg, RPM or *BSD's ports could suffice, or whether they are all just way too mid-90's. Jordan Hubbard himself (now of Apple) weighed in with his opinions (user and passwd 'archives'). Apparently he thinks it is time for something more advanced, and he gives some ideas about what that might look like. Does anyone else have good ideas?"

robstah writes: "Vintage Alpha based systems, such as the DECstation are often available going cheap at auctions or free from a skip as companies 'upgrade' to PCs. As many goverments now want to prevent computers from ending up in landfill one solution is for us geeks to recycle. How? Installing Debian of course. Debian Planet has a great article on installing Debian on vintage Alphas."

evil_one writes: "The end is finally here for Corel, who released a Debian based linux distro a couple years ago (now owned by Xandros) Has announced that they are shutting down their Open Source Development web site as of March 1st. As many readers already know, Corel has helped the community on a huge scale, providing the Linux world with versions of Corel Draw and Corel WordPerfect. It's sad to see this, especially with the amount of work that Corel has put into Wine and their other projects, which include add-ons to KDE." Guess I can retire this topic icon ;)

willybur submits word of this Debian Planet story on the upcoming release of its next stable version. The article says: "According to Anthony Towns (our beloved Release Manager), woody is nearing release. All but three RC base bugs are fixed now, and the bugsquashing party is working through the RC bugs in standard. It's not all good news though. The bad news is that this means we're probably releasing soon, and that of the hundreds of less important packages with RC bugs (eg, bugzilla, craft, crossfire-{client,server}, epic4, fvwm95, gmc, gnome-admin, intuitively, kdepim, moon-lander, tkdesk, wine, and xosview) will be getting randomly ripped out of testing ... Check the stuff that's important to you and get it fixed before it's too late." Says willybur: "See the announcement on debian-devel-announce."

Dare Obasanjo contributed this followup to an article entitled The Myth of Open Source Security Revisited that appeared on the website kuro5hin. He writes: "The original article tackled the common misconception amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of the discovery of security vulnerabilities." Read on below for his detailed analysis, especially relevant with the currency of security initiatives in the worlds of both open- and closed-source software.

The Myth of Open Source Security Revisited v2.0 The purpose of this article is to expose the fallacy of the belief in the "inherent security" of Open Source software and instead point to a truer means of ensuring the quality of the security of a piece software is high.

Apples, Oranges, Penguins and Daemons

When performing experiments to confirm a hypothesis on the effect of a particular variable on an event or observable occurence, it is common practice to utilize control groups. In an attempt to establish cause and effect in such experiments, one tries to hold all variables that may affect the outcome constant except for the variable that the experiment is interested in. Comparisons of the security of software created by Open Source processes and software produced in a proprietary manner have typically involved several variables besides development methodology.

A number of articles have been written that compare the security of Open Source development to proprietary development by comparing security vulnerabilities in Microsoft products to those in Open Source products. Noted Open Source pundit, Eric Raymond wrote an article on NewsForge where he compares Microsoft Windows and IIS to Linux, BSD and Apache. In the article, Eric Raymond states that Open Source development implies that "security holes will be infrequent, the compromises they cause will be relatively minor, and fixes will be rapidly developed and deployed." However, upon investigation it is disputable that Linux distributions have less frequent or more minor security vulnerabilities when compared to recent versions of Windows. In fact the belief in the inherent security of Open Source software over proprietary software seems to be the product of a single comparison, Apache versus Microsoft IIS.

There are a number of variables involved when one compares the security of software such as Microsoft Windows operating systems to Open Source UNIX-like operating systems including the disparity in their market share, the requirements and dispensations of their user base, and the differences in system design. To better compare the impact of source code licensing on the security of the software, it is wise to reduce the number of variables that will skew the conclusion. To this effect it is best to compare software with similar system design and user base than comparing software applications that are significantly distinct. The following section analyzes the frequency of the discovery of security vulnerabilities in UNIX-like operating systems including HP-UX, FreeBSD, RedHat Linux, OpenBSD, Solaris, Mandrake Linux, AIX and Debian GNU/Linux.

Security Vulnerability Face-Off

Below is a listing of UNIX and UNIX-like operating systems with the number of security vulnerabilities that were discovered in them in 2001 according to the Security Focus Vulnerability Archive. AIX 10 vulnerabilities[6 remote, 3 local, 1 both] Debian GNU/Linux 13 vulnerabilities[1 remote, 12 local] + 1 Linux kernel vulnerability[1 local] FreeBSD 24 vulnerabilities[12 remote, 9 local, 3 both] HP-UX 25 vulnerabilities[12 remote, 12 local, 1 both] Mandrake Linux 17 vulnerabilities[5 remote, 12 local] + 12 Linux kernel vulnerabilities[5 remote, 7 local] OpenBSD 13 vulnerabilities[7 remote, 5 local, 1 both] Red Hat Linux 28 vulnerabilities[5 remote, 22 local, 1 unknown] + 12 Linux kernel vulnerabilities[6 remote, 6 local] Solaris 38 vulnerabilities[14 remote, 22 local, 2 both] From the above listing one can infer that source licensing is not a primary factor in determining how prone to security flaws a software application will be. Specifically proprietary and Open Source UNIX family operating systems are represented on both the high and low ends of the frequency distribution.

Factors that have been known to influence the security and quality of a software application are practices such as code auditing (peer review), security-minded architecture design, strict software development practices that restrict certain dangerous programming constructs (e.g. using the str* or scanf* family of functions in C) and validation & verification of the design and implementation of the software. Also reducing the focus on deadlines and only shipping when the system the system is in a satisfactory state is important.

Both the Debian and OpenBSD projects exhibit many of the aforementioned characteristics which help explain why they are the Open Source UNIX operating systems with the best security record. Debian's track record is particularly impressive when one realizes that the Debian Potato consists of over 55 million lines of code (compared to RedHat's 30,000,000 lines of code).

The Road To Secure Software

Exploitable security vulnerabilities in a software application are typically evidence of bugs in the design or implementation of the application. Thus the process of writing secure software is an extension of the process behind writing robust, high quality software. Over the years a number of methodolgies have been developed to tackle the problem of producing high quality software in a repeatable manner within time and budgetary constraints. The most successful methodologies have typically involved using the following software quality assurance, validation and verification techniques; formal methods, code audits, design reviews, extensive testing and codified best practices.

1. Formal Methods: One can use formal proofs based on mathematical methods and rigor to verify the correctness of software algorithms. Tools for specifying software using formal techniques exist such as VDM and Z. Z (pronounced 'zed') is a formal specification notation based on set theory and first order predicate logic. VDM stands for "The Vienna Development Method" which consists of a specification language called VDM-SL, rules for data and operation refinement which allow one to establish links between abstract requirements specifications and detailed design specifications down to the level of code, and a proof theory in which rigorous arguments can be conducted about the properties of specified systems and the correctness of design decisions.The previous descriptions were taken from the Z FAQ and the VDM FAQ respectively. A comparison of both specification languages is available in the paper, Understanding the differences between VDM and Z by I.J. Hayes et al.
   
   
2. Code Audits: Reviews of source code by developers other than the author of the code are good ways to catch errors that may have been overlooked by the original developer. Source code audits can vary from informal reviews with little structure to formal code inspections or walkthroughs. Informal reviews typically involve the developer sending the reviewers source code or descriptions of the software for feedback on any bugs or design issues. A walkthrough involves the detailed examination of the source code of the software in question by one or more reviewers. An inspection is a formal process where a detailed examination of the source code is directed by reviewers who act in certain roles. A code inspection is directed by a "moderator", the source code is read by a "reader" and issues are documented by a "scribe".
   
   
3. Testing: The purpose of testing is to find failures. Unfortunately, no known software testing method can discover all possible failures that may occur in a faulty application and metrics to establish such details have not been forthcoming. Thus a correlation between the quality of a software application and the amount of testing it has endured is practically non-existent.
   
   There are various categories of tests including unit, component, system, integration, regression, black-box, and white-box tests. There is some overlap in the aforementioned mentioned testing categories.
   
   Unit testing involves testing small pieces of functionality of the application such as methods, functions or subroutines. In unit testing it is usual for other components that the software unit interacts with to be replaced with stubs or dummy methods. Component tests are similar to unit tests with the exception that dummmy and stub methods are replaced with the actual working versions. Integration testing involves testing related components that communicate with each other while system tests involve testing the entire system after it has been built. System testing is necessary even if extensive unit or component testing has occured because it is possible for seperate subroutines to work individually but fail when invoked sequentialy due to side effects or some error in programmer logic. Regression testing involves the process of ensuring that modifications to a software module, component or system have not introduced errors into the software. A lack of sufficient regression testing is one of the reasons why certain software patches break components that worked prior to installation of the patch.
   
   Black-box testing also called functional testing or specification testing test the behavior of the component or system without requiring knowledge of the internal structure of the software. Black-box testing is typically used to test that software meets its functional requirements. White-box testing also called structural or clear-box testing involves tests that utilize knowledge of the internal structure of the software. White-box testing is useful in ensuring that certain statements in the program are excercised and errors discovered. The existence of code coverage tools aid in discovering what percentages of a system are being excercised by the tests.
   
   More information on testing can be found at the comp.software.testing FAQ .
   
   
4. Design Reviews: The architecture of a software application can be reviewed in a formal process called a design review. In design reviews the developers, domain experts and users examine that the design of the system meets the requirements and that it contains no significant flaws of omission or commission before implementation occurs.
   
   
5. Codified Best Practices: Some programming languages have libraries or language features that are prone to abuse and are thus prohibited in certain disciplined software projects. Functions like strcpy, gets, and scanf in C are examples of library functions that are poorly designed and allow malicious individuals to use buffer overflows or format string attacks to exploit the security vulnerabilities exposed by using these functions. A number of platforms explicitly disallow gets especially since alternatives exist. Programming guidelines for such as those written by Peter Galvin in a Unix Insider article on designing secure software are used by development teams to reduce the likelihood of security vulnerabilities in software applications.

Projects such as the OpenBSD project that utilize most of the aforementioned techniques in developing software typically have a low incidence of security vulnerabilities.

Issues Preventing Development of Secure Open Source Software

One of the assumptions that is typically made about Open Source software is that the availability of source code translates to "peer review" of the software application. However, the anecdotal experience of a number of Open Source developers including John Viega belies this assumption.

The term "peer review" implies an extensive review of the source code of an application by competent parties. Many Open Source projects do not get peer reviewed for a number of reasons including

• complexity of code in addition to a lack of documentation makes it difficult for casual users to understand the code enough to give a proper review
  
  
• developers making improvements to the application typically focus only on the parts of the application that will affect the feature to be added instead of the whole system.
  
  
• ignorance of developers to security concerns.
  
  
• complacency in the belief that since the source is available that it is being reviewed by others.
  
  

Also the lack of interest in unglamorous tasks like documentation and testing amongst Open Source contributors adversely affects quality of the software. However, all of these issues can and are solved in projects with a disciplined software development process, clearly defined roles for the contributers and a semi-structured leadership hierarchy.

Benefits of Open Source to Security-Conscious Users

Despite the fact that source licensing and source code availability are not indicators of the security of a software application, there is still a significant benefit of Open Source to some users concerned about security. Open Source allows experts to audit their software options before making a choice and also in some cases to make improvements without waiting for fixes from the vendor or source code maintainer.

One should note that there are constraints on the feasibility of users auditing the software based on the complexity and size of the code base. For instance, it is unlikely that a user who wants to make a choice of using Linux as a web server for a personal homepage will scrutinize the TCP/IP stack code.

References

1. Frankl, Phylis et al. Choosing a Testing Method to Deliver Reliability. Proceedings of the 19th International Conference on Software Engineering, pp. 68--78, ACM Press, May 1997. < http://citeseer.nj.nec.com/frankl97choosing.html >
   
   
2. Hamlet, Dick. Software Quality, Software Process, and Software Testing. 1994. < http://citeseer.nj.nec.com/hamlet94software.html >
   
   
3. Hayes, I.J., C.B. Jones and J.E. Nicholls. Understanding the differences between VDM and Z. Technical Report UMCS-93-8-1, University of Manchester, Computer Science Dept., 1993. < http://citeseer.nj.nec.com/hayes93understanding.ht ml >
   
   
4. Miller, Todd C. and Theo De Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. Proceedings of the 1999 USENIX Annual Technical Conference, FREENIX Track, June 1999. < http://www.usenix.org/events/usenix99/full_papers/ millert/millert_html/ >
   
   
5. Viega, John. The Myth of Open Source Security. Earthweb.com. < http://www.earthweb.com/article/0,,10455_626641,00 .html >
   
   
6. Gonzalez-Barona, Jesus M. et al. Counting Potatoes: The Size of Debian 2.2. < http://people.debian.org/~jgb/debian-counting/coun ting-potatoes/ >
   
   
7. Wheeler, David A. More Than A Gigabuck: Estimating GNU/Linux's Size. < http://www.counterpane.com/crypto-gram-0003.html >
   
   

Acknowledgements

The following people helped in proofreading this article and/or offering suggestions about content: Jon Beckham, Graham Keith Coleman, Chris Bradfield, and David Dagon. © 2002 Dare Obasanjo

Dare Obasanjo contributed this followup to an article entitled The Myth of Open Source Security Revisited that appeared on the website kuro5hin. He writes: "The original article tackled the common misconception amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of the discovery of security vulnerabilities." Read on below for his detailed analysis, especially relevant with the currency of security initiatives in the worlds of both open- and closed-source software.

The Myth of Open Source Security Revisited v2.0 The purpose of this article is to expose the fallacy of the belief in the "inherent security" of Open Source software and instead point to a truer means of ensuring the quality of the security of a piece software is high.

Apples, Oranges, Penguins and Daemons

When performing experiments to confirm a hypothesis on the effect of a particular variable on an event or observable occurence, it is common practice to utilize control groups. In an attempt to establish cause and effect in such experiments, one tries to hold all variables that may affect the outcome constant except for the variable that the experiment is interested in. Comparisons of the security of software created by Open Source processes and software produced in a proprietary manner have typically involved several variables besides development methodology.

A number of articles have been written that compare the security of Open Source development to proprietary development by comparing security vulnerabilities in Microsoft products to those in Open Source products. Noted Open Source pundit, Eric Raymond wrote an article on NewsForge where he compares Microsoft Windows and IIS to Linux, BSD and Apache. In the article, Eric Raymond states that Open Source development implies that "security holes will be infrequent, the compromises they cause will be relatively minor, and fixes will be rapidly developed and deployed." However, upon investigation it is disputable that Linux distributions have less frequent or more minor security vulnerabilities when compared to recent versions of Windows. In fact the belief in the inherent security of Open Source software over proprietary software seems to be the product of a single comparison, Apache versus Microsoft IIS.

There are a number of variables involved when one compares the security of software such as Microsoft Windows operating systems to Open Source UNIX-like operating systems including the disparity in their market share, the requirements and dispensations of their user base, and the differences in system design. To better compare the impact of source code licensing on the security of the software, it is wise to reduce the number of variables that will skew the conclusion. To this effect it is best to compare software with similar system design and user base than comparing software applications that are significantly distinct. The following section analyzes the frequency of the discovery of security vulnerabilities in UNIX-like operating systems including HP-UX, FreeBSD, RedHat Linux, OpenBSD, Solaris, Mandrake Linux, AIX and Debian GNU/Linux.

Security Vulnerability Face-Off

Below is a listing of UNIX and UNIX-like operating systems with the number of security vulnerabilities that were discovered in them in 2001 according to the Security Focus Vulnerability Archive. AIX 10 vulnerabilities[6 remote, 3 local, 1 both] Debian GNU/Linux 13 vulnerabilities[1 remote, 12 local] + 1 Linux kernel vulnerability[1 local] FreeBSD 24 vulnerabilities[12 remote, 9 local, 3 both] HP-UX 25 vulnerabilities[12 remote, 12 local, 1 both] Mandrake Linux 17 vulnerabilities[5 remote, 12 local] + 12 Linux kernel vulnerabilities[5 remote, 7 local] OpenBSD 13 vulnerabilities[7 remote, 5 local, 1 both] Red Hat Linux 28 vulnerabilities[5 remote, 22 local, 1 unknown] + 12 Linux kernel vulnerabilities[6 remote, 6 local] Solaris 38 vulnerabilities[14 remote, 22 local, 2 both] From the above listing one can infer that source licensing is not a primary factor in determining how prone to security flaws a software application will be. Specifically proprietary and Open Source UNIX family operating systems are represented on both the high and low ends of the frequency distribution.

Factors that have been known to influence the security and quality of a software application are practices such as code auditing (peer review), security-minded architecture design, strict software development practices that restrict certain dangerous programming constructs (e.g. using the str* or scanf* family of functions in C) and validation & verification of the design and implementation of the software. Also reducing the focus on deadlines and only shipping when the system the system is in a satisfactory state is important.

Both the Debian and OpenBSD projects exhibit many of the aforementioned characteristics which help explain why they are the Open Source UNIX operating systems with the best security record. Debian's track record is particularly impressive when one realizes that the Debian Potato consists of over 55 million lines of code (compared to RedHat's 30,000,000 lines of code).

The Road To Secure Software

Exploitable security vulnerabilities in a software application are typically evidence of bugs in the design or implementation of the application. Thus the process of writing secure software is an extension of the process behind writing robust, high quality software. Over the years a number of methodolgies have been developed to tackle the problem of producing high quality software in a repeatable manner within time and budgetary constraints. The most successful methodologies have typically involved using the following software quality assurance, validation and verification techniques; formal methods, code audits, design reviews, extensive testing and codified best practices.

1. Formal Methods: One can use formal proofs based on mathematical methods and rigor to verify the correctness of software algorithms. Tools for specifying software using formal techniques exist such as VDM and Z. Z (pronounced 'zed') is a formal specification notation based on set theory and first order predicate logic. VDM stands for "The Vienna Development Method" which consists of a specification language called VDM-SL, rules for data and operation refinement which allow one to establish links between abstract requirements specifications and detailed design specifications down to the level of code, and a proof theory in which rigorous arguments can be conducted about the properties of specified systems and the correctness of design decisions.The previous descriptions were taken from the Z FAQ and the VDM FAQ respectively. A comparison of both specification languages is available in the paper, Understanding the differences between VDM and Z by I.J. Hayes et al.
   
   
2. Code Audits: Reviews of source code by developers other than the author of the code are good ways to catch errors that may have been overlooked by the original developer. Source code audits can vary from informal reviews with little structure to formal code inspections or walkthroughs. Informal reviews typically involve the developer sending the reviewers source code or descriptions of the software for feedback on any bugs or design issues. A walkthrough involves the detailed examination of the source code of the software in question by one or more reviewers. An inspection is a formal process where a detailed examination of the source code is directed by reviewers who act in certain roles. A code inspection is directed by a "moderator", the source code is read by a "reader" and issues are documented by a "scribe".
   
   
3. Testing: The purpose of testing is to find failures. Unfortunately, no known software testing method can discover all possible failures that may occur in a faulty application and metrics to establish such details have not been forthcoming. Thus a correlation between the quality of a software application and the amount of testing it has endured is practically non-existent.
   
   There are various categories of tests including unit, component, system, integration, regression, black-box, and white-box tests. There is some overlap in the aforementioned mentioned testing categories.
   
   Unit testing involves testing small pieces of functionality of the application such as methods, functions or subroutines. In unit testing it is usual for other components that the software unit interacts with to be replaced with stubs or dummy methods. Component tests are similar to unit tests with the exception that dummmy and stub methods are replaced with the actual working versions. Integration testing involves testing related components that communicate with each other while system tests involve testing the entire system after it has been built. System testing is necessary even if extensive unit or component testing has occured because it is possible for seperate subroutines to work individually but fail when invoked sequentialy due to side effects or some error in programmer logic. Regression testing involves the process of ensuring that modifications to a software module, component or system have not introduced errors into the software. A lack of sufficient regression testing is one of the reasons why certain software patches break components that worked prior to installation of the patch.
   
   Black-box testing also called functional testing or specification testing test the behavior of the component or system without requiring knowledge of the internal structure of the software. Black-box testing is typically used to test that software meets its functional requirements. White-box testing also called structural or clear-box testing involves tests that utilize knowledge of the internal structure of the software. White-box testing is useful in ensuring that certain statements in the program are excercised and errors discovered. The existence of code coverage tools aid in discovering what percentages of a system are being excercised by the tests.
   
   More information on testing can be found at the comp.software.testing FAQ .
   
   
4. Design Reviews: The architecture of a software application can be reviewed in a formal process called a design review. In design reviews the developers, domain experts and users examine that the design of the system meets the requirements and that it contains no significant flaws of omission or commission before implementation occurs.
   
   
5. Codified Best Practices: Some programming languages have libraries or language features that are prone to abuse and are thus prohibited in certain disciplined software projects. Functions like strcpy, gets, and scanf in C are examples of library functions that are poorly designed and allow malicious individuals to use buffer overflows or format string attacks to exploit the security vulnerabilities exposed by using these functions. A number of platforms explicitly disallow gets especially since alternatives exist. Programming guidelines for such as those written by Peter Galvin in a Unix Insider article on designing secure software are used by development teams to reduce the likelihood of security vulnerabilities in software applications.

Projects such as the OpenBSD project that utilize most of the aforementioned techniques in developing software typically have a low incidence of security vulnerabilities.

Issues Preventing Development of Secure Open Source Software

One of the assumptions that is typically made about Open Source software is that the availability of source code translates to "peer review" of the software application. However, the anecdotal experience of a number of Open Source developers including John Viega belies this assumption.

The term "peer review" implies an extensive review of the source code of an application by competent parties. Many Open Source projects do not get peer reviewed for a number of reasons including

• complexity of code in addition to a lack of documentation makes it difficult for casual users to understand the code enough to give a proper review
  
  
• developers making improvements to the application typically focus only on the parts of the application that will affect the feature to be added instead of the whole system.
  
  
• ignorance of developers to security concerns.
  
  
• complacency in the belief that since the source is available that it is being reviewed by others.
  
  

Also the lack of interest in unglamorous tasks like documentation and testing amongst Open Source contributors adversely affects quality of the software. However, all of these issues can and are solved in projects with a disciplined software development process, clearly defined roles for the contributers and a semi-structured leadership hierarchy.

Benefits of Open Source to Security-Conscious Users

Despite the fact that source licensing and source code availability are not indicators of the security of a software application, there is still a significant benefit of Open Source to some users concerned about security. Open Source allows experts to audit their software options before making a choice and also in some cases to make improvements without waiting for fixes from the vendor or source code maintainer.

One should note that there are constraints on the feasibility of users auditing the software based on the complexity and size of the code base. For instance, it is unlikely that a user who wants to make a choice of using Linux as a web server for a personal homepage will scrutinize the TCP/IP stack code.

References

1. Frankl, Phylis et al. Choosing a Testing Method to Deliver Reliability. Proceedings of the 19th International Conference on Software Engineering, pp. 68--78, ACM Press, May 1997. < http://citeseer.nj.nec.com/frankl97choosing.html >
   
   
2. Hamlet, Dick. Software Quality, Software Process, and Software Testing. 1994. < http://citeseer.nj.nec.com/hamlet94software.html >
   
   
3. Hayes, I.J., C.B. Jones and J.E. Nicholls. Understanding the differences between VDM and Z. Technical Report UMCS-93-8-1, University of Manchester, Computer Science Dept., 1993. < http://citeseer.nj.nec.com/hayes93understanding.ht ml >
   
   
4. Miller, Todd C. and Theo De Raadt. strlcpy and strlcat - consistent, safe, string copy and concatenation. Proceedings of the 1999 USENIX Annual Technical Conference, FREENIX Track, June 1999. < http://www.usenix.org/events/usenix99/full_papers/ millert/millert_html/ >
   
   
5. Viega, John. The Myth of Open Source Security. Earthweb.com. < http://www.earthweb.com/article/0,,10455_626641,00 .html >
   
   
6. Gonzalez-Barona, Jesus M. et al. Counting Potatoes: The Size of Debian 2.2. < http://people.debian.org/~jgb/debian-counting/coun ting-potatoes/ >
   
   
7. Wheeler, David A. More Than A Gigabuck: Estimating GNU/Linux's Size. < http://www.counterpane.com/crypto-gram-0003.html >
   
   

Acknowledgements

The following people helped in proofreading this article and/or offering suggestions about content: Jon Beckham, Graham Keith Coleman, Chris Bradfield, and David Dagon. © 2002 Dare Obasanjo

moyix writes: "There's an article over at perl.com that describes how to use a perl module called Quantum::Entanglement. Using this module, one can simulate programming for a quantum computer. Developers looking to keep their skills current well into the next decade should check this out ;) Debian folks can grab libquantum-entanglement-perl and libquantum-superpositions-perl."

moyix writes: "There's an article over at perl.com that describes how to use a perl module called Quantum::Entanglement. Using this module, one can simulate programming for a quantum computer. Developers looking to keep their skills current well into the next decade should check this out ;) Debian folks can grab libquantum-entanglement-perl and libquantum-superpositions-perl."

loopkin noted that the dot is running a bit about the KDE 3 Release. Here's the release schedule, and as you can see, the upcoming weeks will be interesting. I guess I should figure out why my truetype fonts all broke on a recent update to debian unstable so that I can actually enjoy the new releases :)

DJFelix writes: "I'm probably the billionth person to submit this story, but T.J. Duchene has posted a horrifying review of Borland's license for Kylix and JBuilder 5. The license requires giving Borland the right to enter your property, search your systems and records for license compliance. The license also requires the waiving of a jury trial by all parties for all suits including class action suits. This type of gestapo licensing will not be accepted by even the most hardcore anti open-source companies. Send an e-mail to pr@borland.com to voice your concern."

Debian potato has been updated to 2.2r5. See the press release for info on what has changed - mostly bugfixes, of course, since this is the stable distribution.

Debian potato has been updated to 2.2r5. See the press release for info on what has changed - mostly bugfixes, of course, since this is the stable distribution.

An anonymous submitter sends in: "The Debian GNU/Hurd team released a new Hurd CD Image. Snapshot images are produced at a four to eight week interval and the H2 images are the tenth of the series. The Hurd has grown from one CD image in August 2000 (A1) to four images in December 2001 (H2). These images are snapshots of a developing operating system, so suitable precautions must be taken when making an installation. Similar to other architectures, most important programs reside on CD 1, while the other ones contain less important packages. For the moment, Hurd doesn't support card sound and partition size is still limited to 1 GB. Hurd use the Debian packaging system (dpkg and apt as for Debian linux) , so it is simple to install and update packages."