US Government Studies Open Source Quality

anadgouda writes "US Department of Homeland Security has released a report on open source quality in an effort to study the security of open source. 31 popular open source packages were studied as part of this effort. From the article: 'Coverity's report, Stacking up the LAMP stack: a study of open source quality, was produced as part of a $1.24m, three-year DHS Science and Technology Directorate effort to evaluate and improve the security of open source.'"

So,

[Eightyford]

So, does anyone have the numbers as to how much of the government uses open source? Is it mostly an applications thing (OpenOffice) right now, or are Linux and the BSDs much in use?

Re:So,

[Neoprofin]

I would say more in the vein of Linux/BSD at least so far as the NSA having their own security oriented distro which is availible for download on their site.

Re:So,

[Eightyford]

What's the point of the "So" at the start of your sentence? It doesn't give any more information. It doesn't even elaborate on or give emotion to any other information in your sentence. Try removing it - you will find your sentence works just as well.

Ugh, it adds a bit of casualness to the sentence.

Re:So,

So, thanks for pointing that out?

Re:So,

His topic is 'So'.

Re:So,

[Angostura]

What's the point of the "So" at the start of your sentence? It doesn't add information, emotion or elaborate any facts. Try removing it - you will find your sentence works just as well.

Fixed that for you.

Re:So,

[lengau]

So what's the point of your post? His grammar was still correct.

Re:So,

[Voltageaav]

It depends on what it's for. The vast majority of DoD machines have Windows, but there are rome redhat boxes around as well. I've only seen OS programs on the Linux boxes beyond seeing Firefox every once in a while...

Re:So,

[LordVaderSithLord]

I know that the personnel boxes that the military uses are Unix based

Re:So,

[squallbsr]

The government is somewhat scared of OpenSource, especially in the government secrets world. It doesn't make much sense to be scared of OpenSource, but the argument that has been given time and time again is that anybody can look at the source code and hack into the system. This pertains more for the smaller projects that would be useful in the development on some government made software product. There are a few Linux distributions on the "safe list" and also OSX is on that list too. I think the argument that other people have access to the source code holds no water - keep in mind that China has the source code to Windows. And with MSFT's attempt to appease the EU by making available the source code (under very tight NDAs) to developers. I think that it is better to have the code out in the open for all to see (and fix). Unfortunately I cannot change the mind of the government.

Re:So,

[jtev]

It's called an explitive. Yes, realy, the word is an actual part of speach, though common usage has twisted it into meaning words that are unacceptable for publication. An explitive is a word that adds flavor to written or spoken communication that does not alter the meaning of that communication. Thank you for playing the grammar game, but please, understand what you're criticizing before you play again.

Re:So,

"Thank you for playing the grammar game, but please, understand what you're criticizing before you play again."

The correct spelling is expletive.
Sorry, YFI.

Re:So,

[egypt_jimbob]

Speaking as a student about to graduate and go into Federal Civil Service as a penetration tester, I can tell you that all of the agencies with which I have interviewed use mostly Linux. Well, all of the agencies that are actually good at what I want to do.

So far it's been mostly gentoo from what i've seen, but there are some places that have to use RedHat because their management said it has to have 'support.'

Bear in mind, however, that the places i'm interviewing are hardcore hacker groups, so this may be (and probably is) completely off the norm.

Re:So,

What's the point of the "So" at the start of your sentence? It doesn't add information, emotion or elaborate any facts. Try removing it - you will find that your sentence works just as well.

Fixed. ;)

Re:So,

Yes but do they use it internally? Perhaps another "distro" starting with "S" is used (nono not SuSE or Slackware or one of the other ones*) and it's even UNIX(tm) based! Perhaps thats the reason while it took a while to open source it ...

*
Salvare
SAM Linux Desktop
Santa Fe Linux
SchilliX
Scientific Linux
Securepoint Firewall & VPN Server
Sentry Firewall CD
Server Optimized Linux
Shabdix GNU/Linux
Skolelinux
Slackintosh
Slamd64 Linux
SLAMPP Live CD
SLAX - Live CD
Slix
Slo-Tech Linux
SLYNUX
SME Server
SmoothWall Express
SNAPPIX
Snøfrix
Sorcerer
StartCom Linux
StressLinux
STUX GNU/Linux
STX Linux
SuliX
Symphony OS
SystemRescueCD

Re:So,

[Neoprofin]

Security-Enhnaced Linux

I don't beleive they use it internally as it's still part of a research project, but it wouldn't be a bad place to start.

Re:So,

[kcarlin]

I don't have any quantitative data, but from my adventures with the Federal Government, open source UN*X OSes are well represented in the advanced technology systems I've personally encountered. Reliability, predictability, and modifiability being the key attractions cited.

Re:So,

[Crayon+Kid]

So far it's been mostly gentoo from what i've seen, but there are some places that have to use RedHat because their management said it has to have 'support.'

The need for official support is obvious, even if in reality it ends up being provided by the on site local admins. No need to write it down in quotes and roll our eyes. Official agencies have to have somebody accountable, it's part of justifying the spending of the public dollar.

As for Gentoo, sorry, but it makes little sense why anybody would choose it for a production environment. Yes, it has the emerge mechanism, but that the theoretical usage of emerge is pretty much the only thing it has going. It's a hobby distro from the start, it was meant to be one.

If you're in a large scale deployment scenario you need a distro that will provide binaries, a seamless update and install package management, good hardware support and, why not, good integration of a Windows emulator. I'm not going to mention any other distro names so as not to be accused I'm trying to promote it over Gentoo, but otherwise the idea is just ridiculous. A workstation, much like a production server, has no need for a compiler to be even present.

Re:So,

[egypt_jimbob]

Like any other argument of what is best, one must consider the situation. Gentoo may not be suitable for a production environment; in fact, I agree that it isn't for most companies and most IT departments. But for a penetration tester, Gentoo is just about ideal.

a) Packages are updated more regularly and are far more up-to-date. For example, when nmap 4 came out last month with what I now consider to be essential features, Gentoo stable had an ebuild for it the same day. Debian stable is still showing 3.81, which is no less than 6 months old and a half dozen versions behind.
b) Performance can be significantly greater. A friend and I have identical laptops, his had Gentoo, mine had Debian, both essentially base installs. His booted ~20% faster. Mine now has Gentoo.
c) A Gentoo system is _exactly_ what you want it to be. Want security? I run GRsec on a hardened kernel and every binary on my laptop was compiled with a hardened toolchain including the toolchain itself. Try that with any other distribution.

The need for official support is obvious, even if in reality it ends up being provided by the on site local admins. No need to write it down in quotes and roll our eyes. Official agencies have to have somebody accountable, it's part of justifying the spending of the public dollar.

When all of your users have been using Linux as their primary operating system for 5+ years, some for much longer, I don't believe you can justify spending public dollars on support. Additionally, I don't believe you should force those users to work on a particular distro.

no need for a compiler to be even present.

Compilation is essential to the security professional. So are disassembly and debugging. Not to mention the kind of packet crafting that requires dozens of tools. I agree with you that these tasks are not what normally occur on a server, but Linux is not only useful on a server.

In short, use the right tool for the job. For many, including myself, the right tool is Gentoo.

Evaluate and Improve

[Jeremy.DeGroot]

I think it's great that the government is backing this kind of study, and I think the the high marks a lot of packages received will really be a boon to the OSS movement. I think the part of TFA that excites me the most though, is this:

Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.

If they're going to take their comments back to the communities that develop the software, then this could give the development communities a lot to work on and improve, and that could give us some greatly improved software in a year or two's time. I think work like this is the real strength of Open Source, and I hope to see more of it in the future.

Re:Evaluate and Improve

[T-Ranger]

I wonder how many of the potential suggestions have been made by the OpenBSD crew, and already rejected....

Re:Evaluate and Improve

Actually two of the OpenBSD developers worked for Coverity last I heard (i.e. Ted Unangst and Peter Hessler). This probably gives them some influence ...

Re:Evaluate and Improve

[Josuah]

Or, you could say that this is the strength of taxes being used to fund public science, rather than the strength of open source software. Now imagine if the estimated end-cost of the Iraqi invasion (US$2 trillion over the years + 3,000 US citizens + 30,000 Iraq citizens) was being put towards public science?

So they submitted Bugs, Right?

[BigBuckHunter]

This study would be extremely valuable if they had submitted BZilla bugs for each and every defect they encountered. It's hard to tell from the article whether they did or not. One thing that I have learned from running ~arch in Gentoo is that if you don't submit bugs, things aren't going to get fixed.

BBH

Re:So they submitted Bugs, Right?

[Too+many+errors,+bai]

If these packages are used within the government, the security holes discovered are probably kept secret. National security and all that.

Re:So they submitted Bugs, Right?

[rs79]

I hope they looked at DJBDNS and QMAIL.

All software should be that good.

If they found bugs in Bind, I'm not iterested in the rest of the report. That's just pork.

Re:So they submitted Bugs, Right?

They might be good but how is that relevant? DJBDNS and QMAIL aren't open source.

Re:So they submitted Bugs, Right?

[legirons]

"This study would be extremely valuable if they had submitted BZilla bugs for each and every defect they encountered."

The article seems to suggest that the authors want to help with processes, rather than individual bugs.

That seems like a much better long-term idea, especially if (and this seems likely) they analysed a sample of code.

If someone analyses 1000 lines of code from a 100000 line project, then they'll have a fairly good idea of what processes (e.g. audits, code reviews, patterns) can help the team, whereas simply reporting the bugs they found would mean that 99% of the total bugs would remain undiscovered until someone conducted an equally thorough analysis of the rest of the code.

Re:So they submitted Bugs, Right?

[assassinator42]

They would've had to look at at least 50,000 lines of code. Since they found 32 hundredths of a defect in 1,000 lines of code. (They could've found 16 defects in 50,000 lines). Wait, that doesn't seem right. Anyone want to enlighten me?

Re:So they submitted Bugs, Right?

Qmail is open source.

Re:So they submitted Bugs, Right?

[legirons]

"They would've had to look at at least 50,000 lines of code"

Big deal - at work, we use more code than that to display a dialog box ;-)

Re:So they submitted Bugs, Right?

Oh, a Java user...

Re:So they submitted Bugs, Right?

You code for Microsoft? ;)

Fan of Linux, not of Homeland Security

[toddbu]

I feel very conflicted by this report. On the one hand, I'm happy to see a report that favors open source. On the other hand, in the wake of the Katrina political fallout, it's difficult to say whether this report helps or hurts. The last thing LAMP needs right now is to get caught up in Brown/Chertoff/GWB affair. The only thing worse would be to have the UAE issue a similar report. :-)

Re:Fan of Linux, not of Homeland Security

[g2devi]

I don't see a reason to feel conflicted, unless you believe that some people/companies/institutions are pure evil 100% of the time or pure good 100% of the time. The world is a bit more nuanced than that.

I'm sure if you looked at the lives of Stalin, Attilla the Hun, Saddam Hussein, and other despicable people you'd find that as bad as they were, they did *some* good. The opposite is true for Pope John Paul II, Ganhdi, and JFK.

My own philosophy is to praise people/companies/institutions when they're good (no matter how bad they are normally) and condemn people/companies/institutions when they're bad (no matter how good they are normally).

They've done a good job here and that's good enough for me.

Re:Fan of Linux, not of Homeland Security

[NoTheory]

That's a really ridiculous thing to say. The US government is supposed to be set up as a meritocracy. The idea is that there are career beaurocrats who sit in their jobs all of their life, independent of who in power. The branches of government like the GAO, NASA, the President's Office of Management and Budget are all known for this. Not everything that goes on in washington has to do with politics.

And frankly, i find it pretty weird to think that an operating system or software development movement could somehow become identified with a presidency.

Re:Fan of Linux, not of Homeland Security

[mcc]

The only thing worse would be to have the UAE issue a similar report. :-)

Oh no too late :O

Re:Fan of Linux, not of Homeland Security

[Saeed+al-Sahaf]

There is no relationship between this study and Katrina. The disaster people work in a different office, down the hall. Would you like me to transfer you? Hold on....

Re:Fan of Linux, not of Homeland Security

[Daniel+Dvorkin]

I think it's a matter of perception rather than a strict good-vs.-evil accounting. If your work is praised by a source widely considered to be incompetent and/or corrupt, then people will perceive your work as worse, not better, regardless of its actual merits -- or, for that matter, how justified the praise itself may be.

Re:Fan of Linux, not of Homeland Security

[toddbu]

The branches of government like the GAO, NASA, the President's Office of Management and Budget are all known for this. Not everything that goes on in washington has to do with politics.

You can't really be that naive, can you? Take the OMB for example. There's a big debate going on about whether OMB should use static scoring or dynamic scoring. It doesn't really matter which one you prefer, but I can tell you that in the current political climate it makes a *huge* difference. Democrats prefer static modeling because then they can argue against tax cuts. Republicans favor dynamic modeling to support a "trickle down" effect. But the idea that somehow OMB is neutral is ignoring reality. Even if they don't intend to favor one party or another, the fact is that there is no action that they can take that won't benefit one group or another.

Interesting that you should mention NASA. Their very existence depends on the support of the aerospace community and the regions of the country that benefit from NASA centers. They are very good at using their influence to get what they want. Even if you could claim that they don't favor one political party over another, they are still very skilled at using political influence to their advantage.

Re:Fan of Linux, not of Homeland Security

[toddbu]

Hold on....

I've been waiting several minutes now and have yet to be connected. Could you look into this for me? Also, I might suggest that you update your music-on-hold. I can only listen to "Rhinestone Cowboy" just so many times.

Re:Fan of Linux, not of Homeland Security

[HiThere]

But when you are judging an action that is proposed to happen at sometime in the future, you are always operating with incomplete information, and information that is biased in the favor of whoever released the information. In such cases the course of wisdom is to examine the proposal in the light of your best guess of what the motives are, based on past actions of the agencies involved.

If someone has proven untrustworthy in the past, it's not wise to trust their promise about what they're going to do...but you may consider it plausible if it does appear to be of great benefit to them. (With some, even in such a case you consider the parable of the frog and the scorpion, and take what appear to be suitable precautions.)

Re:Fan of Linux, not of Homeland Security

[Lehk228]

was there any point to your post other than attempting to incite a flame war?

Re:Fan of Linux, not of Homeland Security

[toddbu]

Why would you think I was trying to incite a flame war? Because I noted that there is a current political firestorm over Homeland Security and the UAE? The whole point of my post is that it's easy for good data to get lost in political debate. I think your post proves my point.

Re:Fan of Linux, not of Homeland Security

[SnowZero]

My own philosophy is to praise people/companies/institutions when they're good (no matter how bad they are normally) and condemn people/companies/institutions when they're bad (no matter how good they are normally).

You must be new here.

Re:Fan of Linux, not of Homeland Security

[Daengbo]

What do you have against the University of East Anglia? Have they ever done anything underhanded to you?

Re:Fan of Linux, not of Homeland Security

[toddbu]

What do you have against the University of East Anglia?

Wouldn't that be UEA?

Re:Fan of Linux, not of Homeland Security

[NoTheory]

That's not a boolean statement. There are shades of apolitical neutrality. Obviously, the OMB, as a direct branch of the administration is certainly going to feel more pressure than the GAO for instance. That still doesn't mean that all of the research and statistics that come out of the OMB are going to be slanted for political purposes.

That aside, my point about casting linux with in a partisan political still stands. One might be able to cast open source software, in an anti-business light, but that's never fallen clearly into the Democrat/Republican dialectic. More over, i would find it hard not to laugh if someone wanted to claim that Linux was used/supported by more democrats than republicans, or the other way around. The LAMP stack is just not a political entity as it currently stands.

And, fine, so the institution of NASA deals with politics. I'd never contradict that. Again though, it's a cheap shot to claim that their research is politically motivated. Because i think it's pretty clearly not. Their scientists seem quite independent, and fairly vehemently so.

Their findings are as follows

[Mancat]

Open-source software is a serious threat to this country. These terrorist schemes, or "development projects," as the terrorists refer to them, are designed to rot away the core values of our great nation that we hold so dearly. One in particular, known as "Linux," is especially suspect. It is "developed" by terrorists worldwide, many of which are communists, and many of which do not even support our great commander in chief! It is apalling! How can we trust the security of our nation to these rogue "developers?" Surely they may have hidden devices in their programs, hidden in elaborate matrices of computer programming, that when activated by the terrorists, will disable the software and send them all of our secret data! It can only be expected.

The terrorists are cunning, they are secretive, and they will destroy us if they have their way. This world-wide "open source" terrorist movement must be deconstructed and eliminated. There is no other way to protect our Great Nation! We say to you, as the purveyors of truth and all that is good, avoid this "open source" and its proponents like the plague! They wish to destroy everything we hold dear. You, my good American, are the first line of defense. Report users of "open source" to the authorities. Gather any information on them that you can. You may even consider running their dastardly "software packages" in your own free time, so that you may come to know your enemy - for knowledge is the greatest tool that we have in this fight.

Stand proud, my fellow Americans, and beware this new emerging beast. It will surely be the end of us all if we do not take action now.

Quoted from President George W. Bush's State of the Nation Address, January 2007.

Re:Their findings are as follows

Is that you Dick?

Re:Their findings are as follows

Yes, BSD, Linux, Debian and Mandrake are all versions of an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War. It is based on a program called "xenix", which was written by Microsoft for the US government. These programs are used by hackers to break into other people's computer systems to steal credit card numbers. They may also be used to break into people's stereos to steal their music, using the "mp3" program. Torovoltos is a notorious hacker, responsible for writing many hacker programs, such as "telnet", which is used by hackers to connect to machines on the internet without using a telephone.

http://www.adequacy.org/stories/2001.12.2.42056.21 47.html

Re:Their findings are as follows

The real terrorist threat is NMCI but we haven't figured how to get them to use it.

Re:Is this the same bunch?

Trolltard,

Department of Homeland Security is not the Federal Emergency Management Agency.

Where's the report?

[boa13]

One would expect that being about open-source and all, and with a purpose of helping open-source developers improve the quality of their code, they would publish the report on a governement website somewhere. C'mon, where's the link?

Re:Where's the report?

[DogDude]

Unfortunately, The Register's journalistic quality (and integrity) is on par with Slashdot's.

stanford will keep the database public...

[hihihihi]

the report have a better coverage on this page: http://www.eweek.com/article2/0,1895,1909946,00.as p

from this TFA:
"Anti-virus vendor Symantec Corp. is providing guidance as to where security gaps might be in certain open-source projects."

PS:i am not sure if it has been published on /. or not

Re:stanford will keep the database public...

[HiThere]

Well, it *sounds* good ... but Homeland Security? Symantec? I think I'll reserve judgement for awhile. And Stanford has also got a mixed reputation WRT openness. Before I even trusted their intentions I'd want to go over the contract with a lawyer. Sometimes they're good guys, and other times...well, lets just say that I'd like to reserve judgement.

Re:stanford will keep the database public...

OH, JUST FUCKING GREAT!!!! Symantec...What a bunch of bonepolishers!!!! Next they will have Mickey Mouse running down the budget.

Re:stanford will keep the database public...

Symantec, no shit. This in my opinion puts this discussion to end with no fruit. The security company that can not deliver even marginally effective products has no business evaluating others' code.

Meaningless categorization

[sreekotay]

I've always thought it VERY odd to think about "Open Source" as a thing.

It'd be like saying: We studied the quality of software compiled with the Watcom 10.0 C++ compiler. "Open source" cuts across so many levels of skill and projects. You can pretty find projects that support (or destroy) whatever thesis you'd like to put forward

Even more, somebody pays for the development of the software, one way or another.

This artlice (from ONLamp) http://www.onlamp.com/pub/a/onlamp/2005/07/21/soft ware_pricing.html really puts into better perspective. Basically, it says ALL software can be deconstructed to being about the service (at least so long as the technology curve continues, in practice, to limit its lifespan).

--
graphicallyspeaking

Re:Meaningless categorization

[Night+Goat]

It's a lot more difficult to study the bugs in closed source code and get a bugs per thousand lines of code metric out of it. That is probably why they're doing the testing on OSS.

Re:Meaningless categorization

[hey!]

I disagree. Open Source is not a thing, it is a process. A process that's of interest because of its products.

That's not to say it's easy to study in a way that you can use to make decisions about open source product A and closed source product B, but it's far from impossible.

Re:Meaningless categorization

[sreekotay]

Yes, I guess my point was indeed that yes, "Open Source" is a process, but that I don't know that I view it as a meaningful dividing criteria between "good" software and "bad" - there are LOT of other factors; it just seem like OSS is the "hot" one to discuss...

No... Could it be..?

Could it be that something good came from the US Department of Homeland Security?

The US Gov't made that too generalized...

I don't think there is any question. Open and closed source will both be around for the forseeable future.

To what extent is a different matter...

As long as there are people (and this would be the vast majority today) who care less about what license their software has than how well it does the job, then there will always be a market for closed-source software. On the condition that it is better than the available OSS solutions.

I think OSS will play this kind of role in the future, providing everybody with a basic set of software, and upping the ante for the quality of commercial software.

Commercial software on the other hand, will increasingly be for those who need and are willing to pay for the improved quality it offers (and will per definition be forced to offer in order to exist).

Digg Troll?

[Mancat]

I'm glad to see that one of the first Digg Trolls chose to reply to my post. Have a good one buddy!

Re:Digg Troll?

Really? 15? I had him figured for 13-ish. In that rebellious "I'm so fucking mature because I can out-swear a sailor / I'M RIGHT BECAUSE I TALK LOUDEST" phase. The phase before he gets a real job, lives with his parents, and gets laid.

Re:money?

[HazE_nMe]

as part of a $1.24m, three-year DHS Science and Technology Directorate effort

Damn you didn't even read the f**kin summary!

There's something missing

[Captain+Lou]

"...has effectively given the Linux, Apache, MySQL and Perl/PHP/Python (LAMP) stack a healthy rating. LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines." What would be interesting to know is how they determined a baseline of .32 defects per 1000 lines of code as their baseline, and how so called commerical products, like Oracle, Windows, MSSQL, etc. fared against the same baseline.

thats really the question isn't it? is Open Source more or less secure than any of the closed systems?

MOD PARENT DOWN

The parent is wasting valuable time on Slashdot that should be spent finalizing his Independent Study project for the College of Wooster. He has precious little time left.

Re:MOD PARENT DOWN

[Jeremy.DeGroot]

If this came from who I think it did, your IS ain't in any better shape than mine, buddy. :-p

Re:MOD PARENT DOWN

How stupid do people have to be to mod this kind of a posting as funny? The OSS fanatics must have way too many points to spare. To quote another president, "I did not have sex with OSS".

Compare with...

...New Zealand's recent analysis of open source, which focuses on legal issues.

Re:Compare with...

How credible is a recommendation which says that:

'18 A "permissive" open source licence is not infectious. __A permissive licence does not apply to the original software itself__, modifications of the software, or to other software that is integrated with it. The MIT Licence is an example of a permissive open source licence.'

This is simply and obviously wrong, for the original license must apply to the original software and there is no right to use the software at all if it doesn't.

I've informed them of this error.

Re:Compare with...

[cyber-vandal]

25 There is a risk that open source software contains functional defects, or breaches a third party's intellectual property rights (e.g. where it contains code misappropriated from proprietary software or functionality in breach of a patent). The absence of warranties and indemnities in most open source licences means the licensee bears this risk. This can be contrasted with the protection usually available under commercial software licences.

That made me laugh.

Re:Compare with...

[Kristoffer+Lunden]

Yeah, doesn't most commercial software also come with NO WARRANTY in bold caps?

OSS Security depends on people admitting a bug

[Wayne_Knight]

The honest answer is free software is NOT always the best solution for every problem, especially when it comes to security. I know that people are going to flame me but sometimes the best current solution is a closed source program.

CAD is a good example. I have heard a lot of good things about a new open source CAD program but what if you have a lot of vendors that use Solidworks or Autodesk?

Office is another good example. Many local and state governments have tried Applix or Star Office (now OpenOffice) for a few years. The day that they got rid of it and went to Office 2003 the county workers were more productive than ever. They had a terrible time with sending files to and getting files in Office format. I tried to convince them that it would improve and that they shouldn't sign away their life, but they needed something that would just work. For them, Windows XP and Office 2003 just worked.

If you look at a lot of the government studies of who uses and gets the most benefit out of open source it tends to fall into two categories:

1. REALLY BIG TECH COMPANIES. They have their own support and development staff and can contribute back to open source projects.
2. Really tiny startups with a good techie or two. They are not big enough for the big vendors to care about. So the support they get for much of the open source tools is as good, or better than, what they get from big closed source vendors.

In the middle you have a lot of medium companies that really don't want to manage software developers or handle support in house. I am all for open source but their are a lot of issues yet to be solved.

1. Education. I can not take a course on Linux at my local Community College. I can get my MSCE or Cisco cert there.
2. Support. I can make Linux work for me and my company but not every company can. Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up? I will not even go into the poor state of some documentation for open source programs.
3. Teaching. If you are going to send people out in to the real world as system administrators and/or programmers, they will have a better chance to find a job if they know Windows and Linux. Heck, they should know as many different systems like Z/OS and OS/400!

In conclusion, open source security depends on people admitting that bugs exist. If they act all high-and-mighty, nothing happens and it's just as bad as whatever software product is out there nowadays that people just love to hate.

Re:OSS Security depends on people admitting a bug

[JulesLt]

It's that good old 'total cost of ownership' - for the two categories you identified the answer is 'lower', but for many people lacking in IT skills it is a more complex calculation - especially in places where their IT support is already contracted out. O/S actually needs to come in and compete in these environments, rather than expecting them to become IT literate.

Advocates need to consider the many places in their lives where they purchase things rather than make or maintain them themselves - for many people without interest in technology, software is in that category - we live in a society where people pay a premium for ready-made meals, despite the repeated message they could save money by making their own.

Re:OSS Security depends on people admitting a bug

[killjoe]

Well the expected FUD mobile shows up again.

I especially love the "Windows XP and office 2003 just worked" line. That's a rich one. Anybody who has actually worked with those technologies knows how much effort it takes to make them "just work".

I do think you have point about the incompatibilities of the office formats with other software. It's a well known fact that MS products use office formats to undermine other software. I think that people are finally wising up to this and pushing for ODF. Even MS has tried to make the default office format XML based so I think this problem will go away very soon.

What's interesting to me is how different office 12 looks from office 2003 (who the fuck came up with that versioning scheme?). It will be much easier to re-train employees from office 2003 to open office (which looks very similar) then to retrain employees to migrate from 2003 to 12. Office 12 looks and acts radically different then what people are used to.

Re:OSS Security depends on people admitting a bug

[burnin1965]

"I know that people are going to flame me"

Sometimes posts are deserving of the flames they attract.

"free software is NOT always the best solution for every problem, especially when it comes to security" ... ramble ramble ramble ... "open source security depends on people admitting that bugs exist. If they act all high-and-mighty, nothing happens and it's just as bad as whatever software product is out there nowadays that people just love to hate"

The start and end of your rant suggested you had some issue with security in open source software, yet you failed to mention a single point in the entire rant about security in open source software. There is some validity to some of your statements by themselves, but not one of them had any relevance to security.

While I'll admit that I have a low opinion of various closed source vendors there are many valid reasons for prefering open source software to closed source other than "people just love to hate".

My top reasons for using open source software:
1) The best licensing available as an end user.
2) By far the most secure solutions available.
3) Unbeatable cost of ownership.
4) Unmatched flexibility in hardware support, feature set, and resource footprint.
5) And my favorite, it just works, unlike many of the closed source offerings which have claims of just working and great interoperability, they usually turn out to have bizarre and unpredictable reliability issues and tend to have good interoperability as long as your interoperating with the same vendors software and the same revision level.

burnin

Re:OSS Security depends on people admitting a bug

especially when it comes to security

-----------------

you then went on to mention issues about compatibility with exiting infrastructure w/o even mentioning a security issue.

you go straight back to high school writing class, do not pass go.

Re:OSS Security depends on people admitting a bug

[BeanThere]

How much do you get paid for an 'astroturf' post like that? (You're not very good at it though ... the whole formulaic "pretend to be an OSS advocate" to score mod points, it's like you pulled it from a marketing 101 textbook.)

Re:OSS Security depends on people admitting a bug

[alx.slashdot]

Anybody who has actually worked with those technologies knows how much effort it takes to make them "just work".
Actually, if you're not the one spending the effort, there's no way to tell. For the average corporate user, the above is true because they've no idea how much effort took the IT stuff to make it work. From their point of view, it just works.

Re:OSS Security depends on people admitting a bug

[the_bard17]

...Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up?...

Actually, there are (more than) a few of us in that Geek Squad who would be perfectly happy providing Linux support. It'll probably never happen... it's great that there are those of us who are technically literate enough to be comfortable working with Linux, but I can't see a nationwide company providing Linux support piecemeal. I'd rather expect them to expect each and every tech they've got working for them to be competent in Linux... which ain't gonna happen. Why? I wouldn't want to be put in charge of bringing all these "scan-disk, defrag, run adaware and scan for virus 'techies'" up to speed in Linux. Can't imagine giving the order, too, or explaining to your shareholders why you're spending such a massive amount of money training tech's on a operating system with such a small marketshare (in residential homes, at least).

Re:OSS Security depends on people admitting a bug

[tech_guru5182]

Actually, it appears to be a switch back to the old versioning scheme.

Also, I agree with the comment about the FUD mobile appearing.

I have no problems finding a local community college with Linux classes. I actually took one a few years ago as part of my associate's degree. You may want to try searching for UNIX instead, as Colleges usually keep old names around. The class I took was actually called UNIX Concepts, but was actually taught on Red Hat Linux.

See
EET 175 Network Operating Systems
EET 208 UNIX Concepts
at <a href="https://www.owens.edu/cgi-bin/courses.pl">Ow ens Community College</a>

Re:OSS Security depends on people admitting a bug

[0x0000]

software is NOT always the best solution for every problem, especially when it comes to security.

.... you say this [the above], the procede to make an argument based solely on funcitonality and support of software packages available. Do you have anything to back up your initial statement there, that non-Open software is somehow better for applications that require "security" (a vague term at best, in this context, I think - are you talking security against networked crackers, automated worm attacks, attempts to de-crypt encrypted data ... )? I'm not trying to "flame" you, but you don't support the your statement at all in your post, and I honestly can't think of an instance where proprietary or closed source software is "more secure" than F/OSS...

I can not take a course on Linux at my local Community College.

You should move to where there's a better community college - I think it may even be safe to use the word "most" when describing how many schools there are across the country now that are teaching Linux, FreeBSD, or both. Are you saying your school doesn't offer it, or that you can't take it for some other reason?

As a sidelight, note that many schools that have recieved endowments from M$ (thru one channel or another) have magickally dropped the course-work they once had that didn't require the purchase (at a student discount, of course) of M$ products - if that's what's going on at your school, you might want to address it with your administration - after all, when you're paying for an education, they're defrauding you if they don't give you what you pay for - regardless of what M$ is paying them (under the table) not to teach you....

out in to the real world as system administrators and/or programmers, they will have a better chance to find a job if they know Windows and Linux

Not sure just what sector of the real world you're talking about, here, but *I* won't hire you if you don't understand operating systems generally (we're talking critical embedded systems here - the stuff that's going to outlive the users who are thinking they need a "new" obsolete PC), and have some skill with anything that can be called one. "Platform Independance" and "Language Independant" aren't just test questions in the Real World outside Microsoft Applications Land - a rich and profitable land to be sure, but nothing grows there so all [brain] food must be imported, and life expectancy is pretty short generally due to contaminated memepools, rarified atmospheres, and the mind numbing depressions induced by the incredibly bleak cyberscapes...)

Anyway - all that said, I do agree with you about support for F/OSS - it is overall diffcult to access, often hard to understand, and generally just unusable for those who are not already to some degree techinical initiates. And that does need to change. Imo.

Re:OSS Security depends on people admitting a bug

[ratboy666]

I am sorry. I don't follow your argument at all.

First, what does CAD have to do with security? What does the number of users of Autodesk or Solidworks have to do with anything in this discussion? And, just as an aside, the last time I looked, DXF formats where supported by most CAD vendors, open or closed source.

Now, OpenOffice may not be as productive as Microsoft Office. Is your claim that this is due to bugs in OpenOffice? Further, is your claim that the cause of these bugs is because OpenOffice is an open source application? Easily refuted -- OpenOffice.org USED to be StarOffice, which was a COMPLETELY closed source application until purchased by SUN Microsystems, who open-sourced it. You may still have a point that the Microsoft product is superior for your uses. Just not relevant.

Now, you touch on Education, Support, and Installation issues. Is your claim that the lack of these constitutes a "bug" in the software sense?

Ratboy.

Re:OSS Security depends on people admitting a bug

[Joe+Enduser]

Support. I can make Linux work for me and my company but not every company can. Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up?

That is exactly my aim, to help the average user out with Linux, and I encourage other people to do the same. Even if you will not be able to charge them a lot of money, the reward is in meeting a bunch of nice people and their gratefulness.

What's good for the goose..

[wfberg]

is good for the gander?

I wonder what "bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes" have been uncovered by looking at the source code of closed source softw... oh. wait. no source. heh.

This might well mean that open source software will, at some point in the future, be considered more secure and well-written than comparable commercial closed source software even by government or PHBs.

You have to wonder about the difference in "errors per thousand lines of codes" metric though. Does one project use
int a;
a = 5;
and the other
int a=5;
?

Re:What's good for the goose..

[jofi]

A government should have no problem getting the source code from Microsoft, and certainly isn't by means of the government forcing anyone.

Re:What's good for the goose..

I thought the gist of the report was that the analysts were impressed by the LACK of serious bugs in a lot of the core software, and then were working to help fix those that they did find. More importantly, the group intends to work to improve the process of creating the code of OSS so that future bugs become more rare.

Yes

[jascat]

While not used on every desktop, I know of a lot of F/OSS being used everyday in the military. It would be stupid to not use it. Why would companies like Redhat and Novell spend money on getting their software certified to run on classified systems if it wasn't going to get used? While we may be selling out to Microsoft a lot, there are times when those of us who know better manage to convince the decision makers of the right tool for the job. In some cases, it's a MS product, in others, it's something else.

Re:Is this the same bunch?

Uh, FEMA now falls under the unbrella of DHS. DHS was ultimately in charge of FEMA during Katrine. So basically, you're wrong.

RTFA

[Night+Goat]

From the article, which I'm SURE you read:

Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.

Yes, the folks who ran the tests plan to submit their findings to the developers to help squash bugs.

Re:RTFA

Why did they wait? No, really. Why have they waited until after releasing this report? Are they concerned the bugs might have been fixed too fast, thus making their attempt to paint OSS in a negative light that much less effective? Are they concerned that OSS developers might be able to defend their code in real-time if those developers had actual access to the specifics (rather than the generalities) of the report? No, really. Why did they wait?

Re:RTFA

[BigBuckHunter]

I'm not sure what "engage with open source developers" means... Not just because they used the word "with", which was unnecessary and hard for me to parse. It doesn't necessarily mean that they're itemizing and reporting the defects. It may be some foo-foo conference where they review coding practices and plug some form of SDLC CM/EM/UAT crap. I hope that is not the case, and that we actually get something constructive of ot this. Most of us have been though ISO/Six Sigma/Sas70 audits before and seen nothing worthwhile come of it.

BBH

Re:RTFA

Only a fool responds to AC posts, so paint me stupid. When you asks questions like that, your youth and inexperience become so apparent. Most formal testing/review strategies will not "feed back" into the source of reviewed item until a preliminary or final report is produced. In a formal code walk-through, you don't have somebody jump up and leave the table as soon as the first bug is discovered; rather, you wait until the entire unit or module is reviewed. It's simply more efficient that way. Medical trials are conducted with a portion of a test group taking an "experimental" drug or treatment and only in the most critical of health care situations are patients recommended for treatment, typically they're followed for 1-5 years after the trial is over to see if there were differences. The same is true in most manufacturing processes. A manufacturer doesn't go back and alert everyone, who's previously purchased a product, about problems discovered later on (unless the problem is seriously life-threatening).

Re:RTFA

[justthinkit]

Why did they wait? No, really. Why have they waited until after releasing this report? Are they concerned the bugs might have been fixed too fast, thus making their attempt to paint OSS in a negative light that much less effective?

I dislike bugs as much as the next coder and always try to fix them as soon as possible. However the govt. was supposedly trying to measure something and if they had told the OSS coders what they were up to it would have distorted the results.

Re:RTFA

[sbrown123]

Awesome! OSS needs more government funded projects to find bugs and security issues. All those "experts" who kept bitchin that noone would spend the time or money finding security holes in OSS should go shut the hell up and go back to writing brochures for Microsoft.

Re:RTFA

[belmolis]

I'm not sure this is a good thing for FLOSS. In military usage, "engage" means "fight", as in "We engaged the enemy at 09:00 and killed them all."

Re:Is this the same bunch?

Bad with logic _and spelling? What a winner.

Open Source Software: Opportunities and Challenges

[Old+Duck]

An interesting study was done by the U.S. Military (the Airforce, I believe) concerning Open Source and it's place in the department of defense, though it is written in such a way to be useful to non-military personnel and applications. It is a similar, yet IMHO, a more interesting read than the parent.

The report can be found as a PDF at http://www.stsc.hill.af.mil/crosstalk/2005/01/0501 Tuma.pdf

What is normal?

[CAPSLOCK2000]

FTA:

LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity.
The average for open source projects analyzed is .42 per 1,000 lines.

Does anyone have any factual data on what is "normal" (accepting all the problems of counting lines and bugs in the first place). I've seen estimates range from 2 to a 100 per 1000 lines.

Re:What is normal?

[ClamIAm]

I've seen estimates range from 2 to a 100 per 1000 lines.

Well, if they're using version stable.3.25 of whatever packages they audited, I think there would be quite a few less bugs than version new.0.0 .

Thanks for wasting a million bucks of our money

[vmalloc_]

Next time give that money back to us and write "USE OPENBSD" on your report. Better yet, just give them the money, and they'll actually do security stuff with it.

only europe can fix america.

I'm not sure what this report is good for. The real battle is on three fronts : SCO vs. IBM, Microsoft vs. EU, and real change at the USPTO.

SCO vs. IBM. A cloud hanging over Linux. It really has to be resolved to clear the name of open source. So far so good, but it ain't over til it's over. Who is to say the Judge won't predudice herself at the last minute, getting her ruling thrown out? It's happened before, right?

Microsoft vs. EU. Looking back at the MS case in the USA...please, what kind of Judge breaks up a company, then goes on nationwide TV spewing a bunch of predudicial remarks against the defendant? He knew exactly what he was doing...giving MS another get out of jail free charge. Judgment set aside within weeks. Hopefully the EU will do a better job at enforcing America's laws.

USPTO: Without huge changes in the way software patents are dealt with, open source will die. Closed source is the only way to (somewhat) hide patent infrigement. How many officials can MS, Apple, Oracle, Sony woo? Answer : all of them.

What does the US government really think of open source? Look around you, they use it sparingly and grudingly.

If you're in the military security business, you know open source is officially categorized as "a key to operational predictability"--that is, your opponent can form strategies based on knowedge of open source software released or used by government agencies. I don't really agree with this, since knowing which closed source applications the government creates or uses can provide the same damn thing, especially to a determined adversary, with rooms full of qualified people hacking on the binaries!

Re:only europe can fix america.

[v1]

Closed source has the immediate advantage of obscuring your code. Hackers can't pour over your source code for mistakes or the occasional red-flag comments. ("we'll just assume xyz here, will code in a check later when we get specs.") Open source is immediately open to scruteny.

In the short term, closed source is useful because when your code first hits the network no one knows much about the internals, there are no known holes, and finding holes is difficult. Open source is open to immediate and sophisticated attack as the hackers can see the program flow and exploit visible weakenesses.

As time goes on, open source is patched to deal with the flaws. Even though the open and closed source could technically be the exact same program, the open source one benefits from the initial exploitation by rapid evlution. Being open source though, it probably started out a little behind the closed source, because it likely did not have a paid and well-organized development group working on it, so it has a little catching up to do anyway. The closed source also evolves, but only in response to internal testing and analysis, and the occasional black/white hat that finds something by poking through the binaries.

So after a few years, the initial security/stability gap between the two is eliminated. Old open source projects do tend to stagnate after a few years, so development there probably slackens. This happens at about the time you'd expect two competing projects to about equal each other.

The question then is what happens from there? I believe this is very dependent on the open and the closed projects you examine. Open source may continue active development and surpass closed source. Or it may stagnate and be passed by the paid updates released on a continual basis from the closed source.

Because of this I don't believe either model is ideal. Depending on how the cards play out, either one could be the better solution. I'd like to think that open source is the winner, but I'm sure it isn't the clear winner.

Re:only europe can fix america.

[jonaskoelker]

Being open source though, it probably started out a little behind the closed source, because it likely did not have a paid and well-organized development group working on it.

That's probably the most absurd argument I've ever heard. Firstly, the assumptions are wrong: people also get paid to work on free software, and some of them work in well-organized groups.

Secondly, what's the definition of `well-organized'? Working to implement a fixed feature set to a fixed deadline (which can be roughly equivalent to being told "run 100 meters in two seconds")? The feature list being driven by whatever hype-words the marketing folks heard from your company's competitor, and the ship date being "before the christmas sales"? Of course, the team is being well-organized by a manager who hasn't read The Mythical Man-Month, so as the schedule slips, he keeps adding programmers--does that help? ("if a project is late, adding programmers will make it even more late", due to quadratic communication overhead).

On the other hand, with free software developed with the Bazaar model, you have one very key benefit: the coders are (mostly) self-selected. Why do the work on the code? Doesn't matter (here), but most do it because they get some kind of intrinsic reward, and are thus better motivated. Also, you have parallelizable (and hopefully -lized) debugging, for which there's linear communication overhead (every J. Random Hacker talks to the project lead dev, or a small O(1) core).

Oh, by the way, I think Mac OS classic was written by "paid, well-organized" people, yet it did not support preemptive scheduling or memory protection. Nourishing substances for activities in the (pre)frontal lobes.

(note: I don't love hating Mac OS classic--I bash all OSes which doesn't have memory protection and preemptive scheduling, and I don't love hating Apple either--In fact I think that Mac OS X may be a very good choice for mom, pop, my gf and aunt tillie; I won't use it, because not all of the software is free, afaik, but in a strictly technical sense it's great for joe sixpack).

Re:Open Source Software: Opportunities and Challen

Upon reading the PDF it struck me that if an organisation like the military wanted to use OSS in a more secure fashion, then the use of closed locked down binaries of the code like a default Linux secure network setup is the best option. The problems arise when the individual nodes can be modified willy nilly by malicious code. If you do not include a compiler on the nodes and make sure that binaries cannot be installed by users then you have a blueprint for bullit proof security. Given that the code that is originally compiled into the secure binaries is all visable, it would seem dangerous for the military to use closed source binaries like windows software and remote access sys-admin.

Re:OSS Security depends on bugs being fixed

[J.+Random+Luser]

Support. I can make Linux work for me and my company but not every company can. Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up? I will not even go into the poor state of some documentation for open source programs.

Reminds me of when as a noob, I reported an error in a man page to a project mailing list, hoping somebody close to the project might pick it up and fix it. Nah, the response was: OK, write yourself a new man page.

That attitude still pervades most OSS projects. The result is open source is regarded as by geeks for geeks, and IMHO this, more than any perceived security risks, will keep it off the desktop for a long time yet. Sure, I see quite a few specialist applications coming thru now packaged for MacOS-X. Here's an example (names obscured to protect the ignorant): a multimedia application, gui built on GTK, equal to commercial products of several hundred dollars, well worthy of the suggested paypal donation. But it requires access to the Hardware Abstraction Layer, which is provided by a different oss project, whose raw binaries will do what's needed from the command line, but no gui interface yet, unless you build it, in Qt.

Security problems in OSS are multiplied by forking, and geekishness for its own sake.

Wow

[ROOK*CA]

Three years, $1.24 Million, and what do we got .....

The envelope please ...

"LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines."

Wow, LAMP is a pretty damn high quality stack after all....gee thanks Captain Obvious, we didn't really need those tax dollars for anything anyways. :)

Re:Wow

[Short+Circuit]

You should take an introductory course in either persuasive speaking or persuasive writing.

Knowledge isn't useful when trying to be persuasive unless it can be cited. And citing a study for a quote is more reputable than citing, say, a Slashdot comment. ("But it was rated +5 Insightful!")

This report is a GOOD thing!

I'm a contractor at DHS and have been trying to get them to use Linux in many of the systems we work on. I've given them the whole spiel about licensing, lower cost, dependability, etc of OSS solutions vs. the proprietary software. I'm hoping their own report will help convince programs within DHS to look to OSS instead of watching most of our IT budget go to software licensing.

Re:This report is a GOOD thing!

[ROOK*CA]

Yeah of course it is, were else besides a Federal Government Agency do you have to spend almost a million and a quarter dollars just to convince the suits that the IT department knows what it's talking about?

superb!

[macsox]

if there is one group of people i trust to be able to accurately identify a quality product, it's the government.

Re:superb!

[cyber-vandal]

As opposed to who? Microsoft? Here in the UK Margaret Thatcher preached a similar mantra that government organisations are useless, inefficient and bureaucratic. So she privatised like a demon and now we have public services that are not only useless, inefficient and bureaucratic but now also largely unaccountable even though people still depend on them as much as ever. The profit motive doesn't automatically make an organisation better.

Re:money? OSS not free, but important!

Get a clue. Do you really think OSS is free? I've been a programmer long enough to know that many OSS programmers do a lot of their work while on someone else's nickle. Meaning, myself and others, often spend an hour or more a day working on coding or reviewing OSS while we're at our day job. My boss never knows, to him software is software. Doing some math, averaging only 1.5 hours a day on OSS x 250 work days/year gives 375 hours (roughly 10 weeks) per year the bossman is getting screwed out of work for his company. At $20/hour (not counting cost of benefits), that's $7,500/year. And that's just one person who isn't totally obsessed with OSS! Don't try to fool people, OSS is not "free", but it is crtical. Sort of like everyone doing their part to bring along this technology. Besides, working on OSS makes me a better programmer.

Re:money?

[BeanThere]

And I wonder how many more millions they can now save by using OSS, now that they know they can be more confident in its quality? Have you ever heard of the word "investment"?

.32 out of 1,000 lines of code?

[XB-70]

Hmmmmm, wonder what Vista would look like under that scrutiny?...
Hmmmmmm.... Hey, I have a thought: if Microsoft does as it says and allows the Gov't to view it's code (without releasing it), should not this standard of examination be applied to Microsoft's software too so that we could have a better idea of just what level of quality we can expect from the private sector?

Re:.32 out of 1,000 lines of code?

[obarel]

If Vista has 40,000,000 lines of code and 10,000 bugs were found (that's 50 fixes in each Windows Update, every week, for four years), they'd still be better than 0.32 defects per 1000 LOC.

I've no idea how many lines there are in Vista (or, for that matter, how you count them), but the rumours say that Windows XP is about 40M LOC.

Same Old Math Error

[oldCoder]

These guys just can't think straight:

LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines.

So if LAMP open-source is simply more verbose than other kinds of open source, the number of bugs per line of code can go down? How about just adding a million lines of bug-free but totally bogus code to your project -- and completely winning the race of "Defects per 1,000 lines of code"?

If I remember correctly Coverity has been discussed on slashdot previously and they used the same diseased statistical thinking back then, too.

Re:Same Old Math Error

[Jayr]

Well, I suppose that would work. But such padding would show up pretty obviously in the analysis, don't you think? I doubt many projects optimize for defects/kloc by adding worthless code instead of just writing better code.

A measure has to be made here, and although defects/kloc can be gamed, it's pretty obvious when such gaming has occurred.

Re:Same Old Math Error

[mdfst13]

"How about just adding a million lines of bug-free but totally bogus code to your project"

If it were that easy to write a million lines of bug-free code, we'd all be doing it. Bogus code is *MORE* bug prone than application code. Why? Because it's never tested.

Sure, in theory, people could just add a bunch of lines with just semi-colons. However, in practice, the testing agency would notice this and come up with a screen. Anything more complicated than empty statements is prone to error.

Re:Same Old Math Error

[tricorn]

The real problem isn't bogus stats caused by line inflation. The real problem is that it only finds certain types of bugs. If a bug causes an incorrect result or improper behavior, but doesn't cause a memory leak or the like that crashes the program or system, then it isn't being found. It also isn't finding STUPID code - code that works but is ridiculously convoluted, slow, difficult to modify, redundant (writing 5000 lines of code to do some string manipulation and parsing that could be done just as easily and efficiently using a RE library, or use lex, or some other straightforward solution - I've seen code that re-implemented several of the standard library string routines, and to add insult to injury, did it poorly and with a memory leak - at least these guys would have found the memory leak, but their solution would probably be to fix the leak, not toss the whole routine). C++ programmers seem to do this kind of thing particularly often, although many "object oriented" programmers can screw things up in multiple languages with equal facility.

Mod parent up

It's not a troll if a mod has a political bias that conflicts with the post. If you can disprove something factual in the post, then mod it troll. But don't just mod things down for political persuasion.

Yes.

I'm involved in one of the F/OSS projects that Coverity analyzed; and yes, they were co-operative with the dev team in sharing their insights.

hypocrisy

[ricoder]

Well, at least it can be seen that there is overwhelming bias at slashdot. Not that I care, since I still read the news here.

If any MS (or should I say M$) product were to have been put in an article like that, the mobs would have screamed for Gates's head. However, since it is the all-powerful-silver-bullet-snake-oil open source, all I see are excuse makers and doubters. If anyone is to even take themselves seriously, they must be at least OPEN to the idea that something they believe in is not perfect, and possible quite flawed.

Its one thing to sit in an ivory tower, or garage, and pontificate on the utopian ideals of open source and free love without concern of ramification. It is a completely different thing to be tasked with the welfare of a nation and its people and just HOPE that the software is safe and will work as promised. I can appreciate the Linux/OpenSource/FreeLove ideals of slashdot and its readership, but there is a point when a person has to put personal bias asside and consider that there are greater things at risk than personl pride and being 1337.

SE-Linux

Why no mention of SE-Linux?
One agency study.
1.5 million dollars spent.

How much did the NSA spend developing SE-Linux?
Must have cost more than 1.5 million. And that is now at the core of Linux.

Yes many in the US Government are aware that Open Source software rocks.

Impeach the Liar

In what sense is the CBO a political animal?

Democrats prefer static modeling because then they can argue against tax cuts. Republicans favor dynamic modeling to support a "trickle down" effect.

From the link you provide:

"[I]instituting a formal policy for the use of dynamic scoring would require planning or estimating around future fiscal policy, taxpayers' future behavior, and future business cycles well beyond the window of time for which they can reliably be predicted .... [M]easures of macroeconomic feedback effects are very sensitive to assumptions that are subjective... Given the degree of uncertainty inherent in current methods of macroeconomic forecasting, true dynamic scoring would not allow the consistent and comparative cost estimates"

"CBO and JCT do currently provide estimates to illustrate potential effects on the economy of significant tax proposals, at the request of Members of Congress, but such estimates are not official and only offered as supplemental information. Even opponents of dynamic scoring have encouraged this practice to continue in the same sort of advisory, rather qualitative (and not quantitative) manner because, as Kobes and Rohaly explain, they 'show how sensitive a proposal would be to various changes in these [macroeconomic] assumptions. However, producing an estimate in the form of a single revenue or cost number would be misleading.'"

Upshot:

1. The CBO uses static scoring for official estimates, and does so only for non-political reasons.

2. Democrats perfer static scoring for official estimates, which sounds like a better method, but no doubt they do so only for political reasons.

3. Republicans prefer dynamic scoring for official estimates, which sounds like an inferior method, and no doubt they do so for political reaons.

So yes, there is a controversy, and the controversy is politically-motivated.

But no, the CBO's decision in this matter is motivated only by sound accounting principles without regard for political ramifications.

Re:In what sense is the CBO a political animal?

[toddbu]

But no, the CBO's decision in this matter is motivated only by sound accounting principles without regard for political ramifications.

The CBO was once asked to calculate the economic impact of taxing all income over $200K/year at 100%. They came back with an estimate that tax revenue would increase by several billion dollars. This ignores the reality that without a financial incentive, most people would stop working once they got to this level and that tax revenue would actually drop. Given this information, would you then continue to argue that CBO policy constitutes "sound accounting principles"?

For what it's worth, I'm not suggesting that the CBO scoring method was chosen purely because it benefits Democrats. I suspect that it's more motivated by the fact that it's difficult for the bean counters to work projected benefits into their models, so it's politically expedient for them to ignore the possibilities. I also suspect that they don't want to be held accountable when things go wrong, which isn't necessarily a bad idea.

cluster

There are BSCs that run linux (rh mostly) and the like in wide use.

Metaphor

It's funny how the US security is almost as poor as Windows security!

Now if we could only deny those terrorists root access...

What the hell are you talking about?

[flyinwhitey]

"The whole point of my post is that it's easy for good data to get lost in political debate."

Then why did you bring up unrelated, useless, politically motivated points?

No, it's obvious you were karma whoring, at tleast be a man and own up when you get caught.

And save your protests, no one believes you.

Re:What the hell are you talking about?

[toddbu]

And save your protests, no one believes you.

What protest? It isn't a protest to point out political reality.

For what it's worth, I voted for GWB in both elections. I personally think that most of the New Orleans/Katrina coverage is sniveling. I recently sent email to my Congressional delegation telling them to pull their head out of their collective asses and stop hating people just because they're Arabs. Of course you probably just assumed that because I'd point out a current political controversy that I'd be anti-Bush. Sorry to tell you, but I've voted Republican at every level of government going back to Reagan, the last of the true conservative Presidents.

It's people like you who've screwed up our political system with your inane, single-minded approach to debate.

Re:What the hell are you talking about?

For what it's worth, I voted for GWB in both elections.

At first I merely dismissed your comments as a liberal venting hate, everyone needs to vent. Now I agree with the previous post, simple kharma whoring.

Re:RTFA - Now that's service!

[Air-conditioned+cowh]

This definitely adds weight to the "more eyes make bugs shallow" principle of open source.

How many closed-source applications would get this sort of helping hand?

Stamford University? You mean Stanford.

[Morganth]

I know that there is a Stamford University, and everyone always jokes that it's for people who want to pretend they went to Stanford, but, this just makes things really confusing. The Register article says Coverity used a verifier from Stamford University, when really the program came from Stanford. In fact, AFAIK, UCONN-Stamford doesn't even have a CS department.

Where's the Beef?

[PhYrE2k2]

To quote the Wendy's commercial, "Where's the Beef?".

No seriously! Where's this article? I'd imagine three years and 1.25 million dollars would produce a hefty article. I'd love to give it a read! "US Department of Homeland Security has released a report on open source quality"- so where's the release?

It cites one or two figures, and throws around lots of buzz-words, but there's no comparison? No information? No study of reliability? Nothing at all.

PS: As a side-note, if they 'studied' 15 million lines of code over three years, and were able to identify defects, shouldn't we be seeing a nice patchset coming from Coverity sometime soon... Think about it. It's easy to tell someone else to fix it, but a good part of OSS is giving back.

Re:Where's the Beef?

[sl4sh13]

The report must be closed source!

Re:Where's the Beef?

The 'Value' would be if they did the same study on MS - they would have the source.

Taxpayers should get to see the relative fault rates between MS and open software - so intellegent decisions can be made.

You wonder if it is their stance that exploitable systems are preferred. By staying mum, they are doing another 'Katrina'.

Re:Where's the Beef?

[Frit+Mock]

This is a work in progress, me thinks.

Certified USDA Prime Software

[mattr]

It would be very useful if they could do some of the following, if in fact DHS was supposed to be in this business which I doubt, it is really a very gray area. But they seem to have free time on their hands so a wish list:

• Tell authors about bugs they find, as they find it
• Submit bugs via the project's bug submission system
• Develop a bug submission standard object format and open testing methodology, maybe even a server and some ontology to help automate this stuff?
• Teach developers ways not to make those bugs again
• Develop open automated bug checkers
• Allocate money to hire programmers to fix important bugs in important open source packages
• Establish a government certification of quality which will be fabulous for open source
• Disclose a roadmap to certification for any given software
• Certify private and academic labs for similar certification

But note that the DHS was established to fight terrorist attacks. Anybody doing this kind of service for OSS and able to provide a certification is nice, but the only valid reason for DHS to do this is if they have special knowhow about potential vulnerabilities of software to cyberwar (NOT - they are using antivirus firms instead of the military to get knowhow) this is really not in their purvue.

I am troubled by DHS goons' bullying of people for library use, parking violations, underage drinking or whatever is the latest thing they have to pass the boredom. Cyber security is a great area but they could do best by establishing tools for bug detection and safe code writing. In fact while a government certification and free bug testing is nice it is not what they are supposed to be doing.

Re:Certified USDA Prime Software

[mattr]

Thanks for your very interesting comment, it sounds like you live an exciting life! Point well taken. Perhaps government(s) will start to outreach more to open source software developers and this is just the beginning of a good thing, and granted perhaps one of the best and least destructive things DHS could choose to do.

It seems to me that both the DHS and the open source community would benefit from a broad discussion of how DHS can and should contribute, in particular if they are spending millions maybe they could hire some good people and write/create some open source code we could all use.

DHS seems to have talked to antivirus companies, maybe they could do a Slashdot interview or better yet start a mailing list/website/sourceforge project? Like you were mentioning that call from the NSA is quite interesting. I'm writing some business software that will probably need to support SSL and clients may need that but not in fact require checking certs either. I spent tons of time in the past deciphering how to be a Certificate Authority with open ssl just to get a small project working, maybe the NSA or DHS could write tutorials on that even. Anyway, thanks for your response. Hoping a DHS person is reading this and realizes there are lots of things they could help with, but they need to get the experts involved if they aren't yet. If they could get a cyberwar chief to ensure apache is safe that's great but they already are claiming it has bugs in 0.03% of its lines, so they need to tell us what they are.

non-hypocrisy

[BeanThere]

Well, at least it can be seen that there is overwhelming bias at slashdot.

- Saying that one race group is inferior to another constitutes a "bias": correct.
- Saying that some software is better than other software constitutes a "bias": incorrect

The two are not analogous. The flaw in your argument is the implicit assertion put forth that "all software is created equal" (so to speak) and that any preference of some software over another must therefore constitute a bias. Here's a cluestick for you: Software really does differ.

I suppose you would also slate a mechanic for "hypocrisy" and "bias" if he said that a Ferrari is better than a Hyundai.

Meaningful, actually.

[CarpetShark]

We studied the quality of software compiled with the Watcom 10.0 C++ compiler.

That is perfectly logical. Software that comes OUT of a compiler should certainly be tested for quality. Watcom processes source code, and produces a resulting change, so it's valid to ask questions about that. Likewise, Open Source is a process, with its own unique qualities and product attributes. Also, it's an ALTERNATIVE process to the main ones used to develop software, so the idea of evaluating the different outcomes from each alternative is entirely valid.

Re:OSS Security depends on bugs being fixed

[MarkByers]

Reminds me of when as a noob, I reported an error in a man page to a project mailing list, hoping somebody close to the project might pick it up and fix it. Nah, the response was: OK, write yourself a new man page.

What project was it? Is it anything we care about?

How about linking to your 'bug report' so that we can see this supposed reply?

That attitude still pervades most OSS projects.

What OSS projects are you referring to? Not all OSS projects are equal. You are generalising.

What evidence do you have of most OSS projects having a bad attitude?

Plenty missed here.

[crhylove]

This war has already happened, and open source is just picking off the last few closed source soldiers.

All the apps on my machine are open source (except windows itself), and where the apps go.... Eventually so will the OS. It's just gonna take a lot longer. The app war isn't even fully finished yet. Look at Gimp/Photoshop. They are still kind of duking it out, but gimp is the inevitable winner, and a few graphics profs already realise that and are jumping ship, if for no other added insentive than saving $1.5m on 500 photoshop stations or something.

Open Source has already won. Just let the last few battles play out in the pathetic ways that they will.

rhY

Re:Plenty missed here.

[kimvette]

Gimp does not even come close to the functionality provided by Photoshop. Maybe in another 15 years The Gimp will do what Photoshop can easily do now.

Layer effects, anyone?
EASY macros and actions, anyone?

Re:Plenty missed here.

[kimvette]

OOps, and another thing I really, REALLY hate about The Gimp:

When you create a text layer, apply a few effects (filters, scaling/skewing, etc.) to it, then discover you need to add more text, what happens?

You lose ALL of your effects and you have to re-apply everything you did.

In Photoshop? Just edit. It will retain the effects you have applied.

I really, really, really hope Adobe releases the creative suite on Linux. :)

stupid article

[tacocat]

This article is kind of dump. It compares LAMP to everything else FOSS.

I don't need that, I need to know how FOSS compares to Proprietary Software

The .gov folks do give back at times...

I was contacted by an NSA analyst about one of my projects. It's an IRC client with an IRC over SSL feature. The SSL feature doesn't verify certificates (I knew this) and the analyst noted this issue was raised while they were auditing my software. They asked if I planned to fix the problem and when.

Once I was an intern at a govt lab and part of my duties included hacking together a patch for some security type software. I was allowed to release the patch back to the original authors so long as the govt was left out of it.

So they can and do reach out sometimes.

Navy Replaced Sun with Yellow Dog Linux ...

[AHumbleOpinion]

The US Navy replaced Sun with Yellow Dog Linux, originally on Apple hardware and now on some other PowerPC based hardware, for sonar processing on subs.

Kiddies got mod points today

The kiddies must have mod points today. That was about as humorous as a fart joke, even for someone who is no fan of GWB and is wearing tinfoil.

Andy??

[symbolset]

Andy Card? Is that you?

No, it couldn't be. Your website bites. Having seen it one can see the desolation of the field from which your opinion grew. I'm sorry.

Hardcore Security

The Open Source model does not typically conform to the requirements for getting a high rating (Evaluation Assurance Level 4 or higher) for Common Criteria (http://niap.nist.gov/cc-scheme/). Note that it could, but typically FOSS projects do not have this kind of rigor.

A rating of EAL 4 is a typical benchmark that NATO governments use for "low threat" environments.