Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Look At Mozilla's BugFix Rate

Posted by Zonk on from the must-go-faster dept.

An anonymous reader writes "Washingtonpost.com's Security Fix blog has published the results of a look back at three years worth of critical patches from Mozilla, and found that Mozilla typically ships updates for critical flaws in about three weeks, though in more than a third of the cases it pushed out a fix in ten days or less. The data comes just a few weeks after The Post published data from a similar study that found Microsoft averaged 130+ days to fix critical flaws. Slashdot also covered that study in a previous post."

2 of 174 comments (clear)

  1. The eyes are looking at the edges by Weaselmancer · · Score: 3, Informative

    I used to think it was just poor management, but now you have open source projects with thousands of eyes looking at every line of code.

    IMHO, I believe that the reason why is because most of the developers are looking "at the edges" - where new functionality is being added. For example, how many of those developers are looking at the JPEG decompress routine? Turns out that wound up being important exploit-wise recently. And there it sat for years, unnoticed.

    from what I remember in taking computer science, if you follow some simple procedures, the code is robust.

    Well, robust doesn't just come from simple procedures. It's also design and style. You can't come up with excellent procedures and guarantee good software. You have to design well, communicate well, and implement ideas correctly. A lot is also owed to experience - sometimes, the only way to find out you've screwed up is after the fact. A good example is strcpy(). We know unbounded copy is a bad idea now, but how many years went by before we did?

    --
    Weaselmancer
    rediculous.
  2. Re:"from the must-go-faster dept." by bdaehlie · · Score: 4, Informative

    The Mozilla developers spend quite a bit of time on reducing memory usage and leaks. The issue is taken very seriously. All I said was that leaks exist, and that they don't indicate that Mozilla's entire codebase is sloppy. That doesn't mean Mozilla developers aren't doing anything about them or they think they are OK.

    CyricZ, please stop trying to get attention by being dramatic and twisting words. Your criticism is not contructive, just uninformed and inflamatory.

    P.S. Re: "the attitude of the Firefox developers" - I am only one Firefox developer. I am not speaking for any other devs.