Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask About Proprietary vs. Open Source Code Quality

Posted by Roblimo on from the bugstomping dept.

Scott Trappe is CEO of Reasoning, a company that has gained a certain amount of noteriety (and a Slashdot mention) by running its Ilumna automated inspection service on several versions of TCP/IP -- and concluding that the Linux version has fewer bugs than most proprietary ones. Why is this? Let's ask Scott, and also ask him any other question you can think of about software quality and how to achieve it since, after all, that's his business. We'll send him 10 of the highest-moderated questions and post his answers when we get them back.

31 of 196 comments (clear)

  1. Security through Obscurity by jkusar · · Score: 5, Interesting

    What is your opinion on this topic? In your experience, does having the source closed make it any harder to find bugs and security flaws?

  2. Where was the most interesting ... by burgburgburg · · Score: 4, Interesting

    reference to your research? Whose inclusion of your work most impressed? Most confused? Most disturbed? And was there anyone who referenced your work but totally misunderstood what you were saying/doing and their conclusions were way off?

  3. sample size and conclusions by tim_maroney · · Score: 5, Insightful

    How can any conclusions about the relative virtues of two development methodologies with a universe in the millions of components be drawn from a single sample, and one as small and atypical as a TCP/IP stack?

  4. Where in the product lifecycle is the problem? by $$$$$exyGal · · Score: 5, Interesting
    Where, in your opinion, do most products fail when it comes to attaining quality in software?:
    1. Planning (specifications)
    2. Development
    3. Post-development testing
    4. Or anything else? (or a mixture, etc)
    --
    Very popular slashdot journal for adul
  5. What exactly is being compared. by stratjakt · · Score: 5, Interesting

    "Reasoning declined to disclose which operating systems it compared with Linux, but said two of the three general-purpose operating systems were versions of Unix"

    So did you go cherry picking to find OS's that had more bugs than linux, or was it random or what?

    Too often the Open vs Closed argument turns into linux vs windows, and then criteria is arbitrarily picked. Since the two OS's are designed largely for very different purposes, the comparison is by definition never fair, no matter who conducts it.

    Saying that one product is better doesnt necessarily mean that the way it was created is inherently superior.

    Implementing properly documented standards is something the OS community is great at, since they're all on the same page. Creating from scratch is different.

    Hence, TCP/IP is rock solid in linux, yet development on the desktop crawls along in 100 different directions at once, gaining little ground.

    --
    I don't need no instructions to know how to rock!!!!
  6. Proprietary v Open by Oculus+Habent · · Score: 5, Interesting

    Some proprietary products like Microsoft Office partially maintain there dominance by not disclosing the details of the file format, or modifying standard formats to reduce compatability. Do you think that competetive free products would be more widely accepted if the file formats were open/standardized, or would the dominance and familiarity of the current packages would maintain their market control?

    --
    That what was all this school was for... to teach us how to solve our own problems. -- janeowit
  7. The development enviroment by davidmcn · · Score: 5, Interesting

    Because there are obvious differences in the cultural enviroment of developing open source versus proprietary software, what is you opinion what factors affect the quality of code that is produced from these two enviroments and how?

    --
    Memories become legend, Legend fades to myth, and even myth is forgotten by the time that age comes again.-Robert Jordan
    1. Re:The development enviroment by BoogerWoman · · Score: 4, Interesting
      And, in addition to the environment, what motivations within the different environments affect how bugs get found, and what reward there is for finding them?

      For example:

      • Do you think (your opinion, of course) that open source original authors are more motivated to create fewer bugs because their code will be read by others?
      • Or perhaps that open source finds an academic (or similar) niche and one can obtain academic (or similar) stardom by finding bugs?
      • Finally, from these motivations, how do you think motivation itself could improve in proprietary software's ability to fix bugs? (Provided motivation is indeed the problem, and proprietary software does, indeed, tend to have more errors).
  8. Fine and dandy. by grub · · Score: 5, Interesting


    OK "Your TCP stack is cleaner than theirs" but what metrics are being used? How do we know bugs in their testing software doesn't skew the numbers?

    --
    Trolling is a art,
  9. The right tool by Vollernurd · · Score: 5, Interesting

    Would it be fair to ask if you are an advocate of any particular type of software, or you merely promote use of the "right tool for the right job"?

    --
    Smokey, this is not 'Nam, this is bowling. There are rules.
  10. How many bugs are emergent phenomena? by uiil · · Score: 5, Interesting

    Is a certain percentage of bugs that result from the interaction of two or more otherwise bug free components?

  11. What needs to happen? by argmanah · · Score: 5, Interesting

    If open source has such a direct correlation to better quality, why do you feel companies are still keeping their source proprietary? Do you think that we should try and convince them to open source their code in every case, and if so, what do you think needs to happen before they can be convinced to change their minds?

    --
    Overrated Moderation: This posts sucks... because.
  12. Is this applicable everywhere? by ikoleverhate · · Score: 5, Interesting

    Do you believe the 'evolutionary' pressures that led the Linux tcp/ip implementation being better are in action in other areas of opens source activity? I can see the tcp/ip implementation getting a lot of attention from coders as linux is primarily a server platform but are less obviously important areas performing similarly?

    If so, which areas do you think are benefitting and which need more community action / peer pressure to excel?

    Are there any areas you think this phenomenon will never apply? (eg areas in which proprietary code will always be better)

  13. What about BSD? by kidlinux · · Score: 5, Interesting

    Sometimes I think Linux takes more that its fair share of the limelight. Generally when I see some aspect of Linux compared to other OSes, I'm interested in seeing how BSD fares as well. Not so much to decide which is better, but it's interesting to see how the two do against each other, given that they're both open source projects. It seems to me that they both have many different and similar goals, and take different approaches at doing things. I'd like to see how it all adds up.

    So did you take a look at the BSD tcp/ip implementation, if so, how did it compare to the rest?
    If you didn't, why not?

    --
    -kidlinux.
  14. Influence of project size by arvindn · · Score: 4, Interesting

    The parallelizability of bug-fixing is quite clearly very effective for high-visibility projects such as the linux kernel and apache. However, considering that most open-source projects have only between 1 and 5 developers, how popular do you think a project needs to be for it to significantly benefit from people looking at the source code?

  15. Quality Software vs Fewer Bugs? by gosand · · Score: 5, Interesting
    I work in software Quality Assurance, and have for going on 10 years now. My experience tells me that true software bugs are only part of the quality of software. So much can get lost in the software development lifecycle. An unclear requirement can travel through the lifecycle and come out the other end as a bug to the customer. Usability is another part of quality. It could be bug-free, but if it is really difficult to use or doesn't fit the needs of the customer, it may not matter.

    It sounds like your company focuses on analyzing the code bugs, and not necessarily the perceived bugs. What are your opinions on this? I know that locating and eliminating the bugs *is* a critical part of software QA, but do you feel that bug-free ensures true quality? A bug-free Open Source project may still be too difficult to use or confusing for the non-technically inclined.

    --

    My beliefs do not require that you agree with them.

  16. What about the bad guys? by arvindn · · Score: 4, Interesting

    It is natural to expect the number of bugs to go down when more people look at the source. However the downside to being open source from the security viewpoint is that possibly makes it easier for the bad guys to find bugs. Have you measured the effect of this? Is it actually easier for crackers to find bugs when they have access to the code? If so, do you think the smaller frequency of bugs adequately compensates for their increased exploitability?

  17. Re:Give due credit by TheRaven64 · · Score: 4, Informative
    Didn't the TCP/IP code originally come from the FreeBSD project?

    No. The Linux TCP/IP stack was written from the spec mainly by Alan while he was at Swansea. Haven't you seen the credit to SUCS in your Linux boot-up? That's the problem with graphical splash screens...

    --
    I am TheRaven on Soylent News
  18. A bug is a bug is a bug? by binaryDigit · · Score: 4, Interesting

    The tcp/ip findings were interesting, but were they really relevant. Let's say that one of the tcp/ip stacks that had more "bugs" was Solaris. Now I assume that the Solaris tcp/ip stack has not had significant changes in a very long while, also, that if these "bugs" actually negatively impacted the working of the code, that they would have repaired. So my question is, how does your application mark a bug? And from the original /. article, it would appear that you treated all "bugs" the same. Is a failure to check for a null pointer "a bug". Having a more explicit rundown of the type and scope of bugs found would be much more meaningful.

  19. Did they fix the bugs they found? by scotpurl · · Score: 4, Interesting

    It says they found so many bugs per 1,000 lines, but did they submit the errors, or fixes, to CVS, or to the vendor?

  20. General quality of programming by pro-mpd · · Score: 5, Interesting

    Do you find that the quality of the programming depends upon the geographic location of the programmers? So, for instance, an open source program will be troubleshot and combed over by people from potentially a dozen different countries. Closed source software is checked by people where it is written. Since, as a general rule, education varies in quality and areas of emphasis around the world, does it help having people attacking a program from many different angles (i.e., open source, cheked world wide) rather than simply drawing from a set of people who may share many of the same abilities, backgrounds, etc.?

  21. Why the TCP/IP subsystem? by James+Chamberlain · · Score: 4, Interesting

    Why did you choose to look at the TCP/IP code over any other particular subsystem? Do you have plans to review any other portions of the code? For instance, I think it would be very interesting to see a similar comparison which examined the code for file systems or virtual memory. Have you reported the bugs you found back to the authors of the code?

  22. What Metrics Are Used to Determine Buginess? by Carnage4Life · · Score: 5, Interesting

    I assume some of this information may be "company secrets" but I'm very interested in learning what metrics are used to determine which source code is "buggier" than others. Is this something as simple as running lint + "gcc -Wall -ansi -pedantic" then piping the output to "wc -l" ?

    Are there checks for use of unsafe functions like gets and the str* family of functions in C? Are there more complex data flow analysis algorithms at play here like those in the used in Stanford's Meta-level compilation techniques?

    Inquiring minds want to know. A pronouncement like OS foo is has more/less bugs than OS bar is meaningless without a definition of what having more/less bugs means.

  23. Issues behind test cases for proprietary v.s. open by Tekmage · · Score: 4, Insightful

    One of the bigger challenges facing open source projects as compared to their proprietary equivalents is how to manage confidentiality of test cases. With companies such as Red Hat and Ximian involved, it's certainly less of an issue for their core products and projects they over-see, but there will always be cases where there is friction when the best/only person who can fix a particular problem is on the outside, unable to work with the test cases in question.

    What are your thoughts on this trade-off between test case management and confidentiality as it relates to proprietary v.s. open source code development?

    --
    --The more you know, the less you know.
  24. Compare yourselves to Checker and Smatch by Anonymous Coward · · Score: 4, Interesting

    Please compare and contrast the services your
    company offers with those offered by Checker
    or Smatch.
    They seem pretty similar. In fact, do you
    use Checker or Smatch internally? It would
    seem logical.
    - Dan Kegel (dank@kegel.com)

  25. How do you maintain your neutrality? by arvindn · · Score: 4, Interesting

    Given that on more than one occasion "independent institutions" which conducted similar studies (and concluded that closed source is superior) were revealed to have been sponsored by the other side, how do you convince other people of your neutrality? Since you are selling a service, not a product, I would guess that the confidence of your customers in your independence is pretty important from a business perspective. How do you win and keep that confidence? The article notes that you agree with ESR's pro open-source reasoning. Wouldn't the perception of your having a OSS bias be something you'd want to avoid?

  26. Peer review by ralico · · Score: 5, Interesting

    How much of a role do you think peer review plays in software quality?
    In proprietary source systems, there is generally formal peer review, as per CMMI. But I have seen this done rarely (almost exclusively for CMMI level 3+ projects). There seems to be a disincentive to do formal peer review. There seem to be various reasons for this, cost, workplace environment, and group dynamics. Which do you think are most significant?

    Whereas in open source projects, there is not the formal peer review, but rather seems like a mass informal peer review. This seems to foster an enviroment of besting each other, trying to find the most and most obscure bugs.
    What do you say?

    --

    SCO to Hell
  27. So if open source is so good... by anthony_dipierro · · Score: 4, Insightful

    Where can I get the source code to these automated inspection tools?

  28. The future of automated code inspection by phamlen · · Score: 5, Interesting
    According to the article, it appears that you look for buffer overflows, freeing memory early, and other memory issues.

    What errors are currently hard to detect automatically but which you would really like to be able to find?
    What is the next category of errors that you're trying to detect with automatic code inspection?

    To give you some ideas, what about:
    • "unrefactored" code - code which has a lot of duplication and should be cleaned up
    • "untested" code - code (or branches in the code) that are currently untested by unit tests?
    • "programmer intention" errors - code which doesn't do what the programmer intends
  29. Test first by neurojab · · Score: 4, Interesting

    What do you think about the new "test first" software development methodology? For those that haven't heard of it, it's a method wherein the test cases for a program are written, and no code is written that doesn't cause a failing test case to pass. All test cases are automated and run after every code change. Would you advocate this in an open-source project? This would mean every contributor would write test cases for each new feature, and add it to a project's common test case repository... What do you think?

  30. Stupidity and Lies (Broken Metric) by oldCoder · · Score: 4, Insightful
    The companys bug scan software looked at TCP/IP stacks from different OSes. Presumably they implemented the same functionality. The statistics given are not for the stacks as a whole, but are given in "Defects per 1000 lines of code".

    Think about that.

    If Stack A is 3 times as large (bloated code) but has only 2 times the bugs as stack B, then stack A (worse in all respects) gets a better grade!!!

    You can halve your defect count by doubling the number of lines of code in your module. What a rip! How could so many people read and write about this and not see the problem.

    --

    I18N == Intergalacticization