Slashdot Mirror
US Government Studies Open Source Quality
anadgouda writes "US Department of Homeland Security has released a report on open source quality in an effort to study the security of open source. 31 popular open source packages were studied as part of this effort. From the article: 'Coverity's report, Stacking up the LAMP stack: a study of open source quality, was produced as part of a $1.24m, three-year DHS Science and Technology Directorate effort to evaluate and improve the security of open source.'"
So, does anyone have the numbers as to how much of the government uses open source? Is it mostly an applications thing (OpenOffice) right now, or are Linux and the BSDs much in use?
Religion for nerds. Stuff that really matters
This study would be extremely valuable if they had submitted BZilla bugs for each and every defect they encountered. It's hard to tell from the article whether they did or not. One thing that I have learned from running ~arch in Gentoo is that if you don't submit bugs, things aren't going to get fixed.
BBH
I feel very conflicted by this report. On the one hand, I'm happy to see a report that favors open source. On the other hand, in the wake of the Katrina political fallout, it's difficult to say whether this report helps or hurts. The last thing LAMP needs right now is to get caught up in Brown/Chertoff/GWB affair. The only thing worse would be to have the UAE issue a similar report. :-)
If you don't want crime to pay, let the government run it.
Open-source software is a serious threat to this country. These terrorist schemes, or "development projects," as the terrorists refer to them, are designed to rot away the core values of our great nation that we hold so dearly. One in particular, known as "Linux," is especially suspect. It is "developed" by terrorists worldwide, many of which are communists, and many of which do not even support our great commander in chief! It is apalling! How can we trust the security of our nation to these rogue "developers?" Surely they may have hidden devices in their programs, hidden in elaborate matrices of computer programming, that when activated by the terrorists, will disable the software and send them all of our secret data! It can only be expected.
The terrorists are cunning, they are secretive, and they will destroy us if they have their way. This world-wide "open source" terrorist movement must be deconstructed and eliminated. There is no other way to protect our Great Nation! We say to you, as the purveyors of truth and all that is good, avoid this "open source" and its proponents like the plague! They wish to destroy everything we hold dear. You, my good American, are the first line of defense. Report users of "open source" to the authorities. Gather any information on them that you can. You may even consider running their dastardly "software packages" in your own free time, so that you may come to know your enemy - for knowledge is the greatest tool that we have in this fight.
Stand proud, my fellow Americans, and beware this new emerging beast. It will surely be the end of us all if we do not take action now.
Quoted from President George W. Bush's State of the Nation Address, January 2007.
hello dear sirs my name is jamesh i are india (bihar) can u guide me install red had linux 9?
One would expect that being about open-source and all, and with a purpose of helping open-source developers improve the quality of their code, they would publish the report on a governement website somewhere. C'mon, where's the link?
the report have a better coverage on this page: http://www.eweek.com/article2/0,1895,1909946,00.as p
/. or not
from this TFA:
"Anti-virus vendor Symantec Corp. is providing guidance as to where security gaps might be in certain open-source projects."
PS:i am not sure if it has been published on
everyone downmodding this post will be prosecuted for reading my post without first buying a license!!!
I've always thought it VERY odd to think about "Open Source" as a thing.
t ware_pricing.html really puts into better perspective.
Basically, it says ALL software can be deconstructed to being about the service (at least so long as the technology curve continues, in practice, to limit its lifespan).
It'd be like saying: We studied the quality of software compiled with the Watcom 10.0 C++ compiler. "Open source" cuts across so many levels of skill and projects. You can pretty find projects that support (or destroy) whatever thesis you'd like to put forward
Even more, somebody pays for the development of the software, one way or another.
This artlice (from ONLamp) http://www.onlamp.com/pub/a/onlamp/2005/07/21/sof
--
graphicallyspeaking
graphically speaking
The parent is wasting valuable time on Slashdot that should be spent finalizing his Independent Study project for the College of Wooster. He has precious little time left.
...New Zealand's recent analysis of open source, which focuses on legal issues.
While not used on every desktop, I know of a lot of F/OSS being used everyday in the military. It would be stupid to not use it. Why would companies like Redhat and Novell spend money on getting their software certified to run on classified systems if it wasn't going to get used? While we may be selling out to Microsoft a lot, there are times when those of us who know better manage to convince the decision makers of the right tool for the job. In some cases, it's a MS product, in others, it's something else.
From the article, which I'm SURE you read:
Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.
Yes, the folks who ran the tests plan to submit their findings to the developers to help squash bugs.
An interesting study was done by the U.S. Military (the Airforce, I believe) concerning Open Source and it's place in the department of defense, though it is written in such a way to be useful to non-military personnel and applications. It is a similar, yet IMHO, a more interesting read than the parent.
The report can be found as a PDF at http://www.stsc.hill.af.mil/crosstalk/2005/01/0501 Tuma.pdf
There are more things in heaven and earth, Horatio, Than are dreamt of in your philosophy.
Does anyone have any factual data on what is "normal" (accepting all the problems of counting lines and bugs in the first place). I've seen estimates range from 2 to a 100 per 1000 lines.
Reminds me of when as a noob, I reported an error in a man page to a project mailing list, hoping somebody close to the project might pick it up and fix it. Nah, the response was: OK, write yourself a new man page.
That attitude still pervades most OSS projects. The result is open source is regarded as by geeks for geeks, and IMHO this, more than any perceived security risks, will keep it off the desktop for a long time yet. Sure, I see quite a few specialist applications coming thru now packaged for MacOS-X. Here's an example (names obscured to protect the ignorant): a multimedia application, gui built on GTK, equal to commercial products of several hundred dollars, well worthy of the suggested paypal donation. But it requires access to the Hardware Abstraction Layer, which is provided by a different oss project, whose raw binaries will do what's needed from the command line, but no gui interface yet, unless you build it, in Qt.
Security problems in OSS are multiplied by forking, and geekishness for its own sake.
It's that good old 'total cost of ownership' - for the two categories you identified the answer is 'lower', but for many people lacking in IT skills it is a more complex calculation - especially in places where their IT support is already contracted out. O/S actually needs to come in and compete in these environments, rather than expecting them to become IT literate.
Advocates need to consider the many places in their lives where they purchase things rather than make or maintain them themselves - for many people without interest in technology, software is in that category - we live in a society where people pay a premium for ready-made meals, despite the repeated message they could save money by making their own.
'Capitalists of the world, unite! Oh
Three years, $1.24 Million, and what do we got .....
...
.32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines."
:)
The envelope please
"LAMP "showed significantly better software quality" above the report's baseline with an average of
Wow, LAMP is a pretty damn high quality stack after all....gee thanks Captain Obvious, we didn't really need those tax dollars for anything anyways.
Well the expected FUD mobile shows up again.
I especially love the "Windows XP and office 2003 just worked" line. That's a rich one. Anybody who has actually worked with those technologies knows how much effort it takes to make them "just work".
I do think you have point about the incompatibilities of the office formats with other software. It's a well known fact that MS products use office formats to undermine other software. I think that people are finally wising up to this and pushing for ODF. Even MS has tried to make the default office format XML based so I think this problem will go away very soon.
What's interesting to me is how different office 12 looks from office 2003 (who the fuck came up with that versioning scheme?). It will be much easier to re-train employees from office 2003 to open office (which looks very similar) then to retrain employees to migrate from 2003 to 12. Office 12 looks and acts radically different then what people are used to.
evil is as evil does
if there is one group of people i trust to be able to accurately identify a quality product, it's the government.
go get it
And I wonder how many more millions they can now save by using OSS, now that they know they can be more confident in its quality? Have you ever heard of the word "investment"?
If I remember correctly Coverity has been discussed on slashdot previously and they used the same diseased statistical thinking back then, too.
I18N == Intergalacticization
I'm involved in one of the F/OSS projects that Coverity analyzed; and yes, they were co-operative with the dev team in sharing their insights.
Actually, it appears to be a switch back to the old versioning scheme.
w ens Community College</a>
Also, I agree with the comment about the FUD mobile appearing.
I have no problems finding a local community college with Linux classes. I actually took one a few years ago as part of my associate's degree. You may want to try searching for UNIX instead, as Colleges usually keep old names around. The class I took was actually called UNIX Concepts, but was actually taught on Red Hat Linux.
See
EET 175 Network Operating Systems
EET 208 UNIX Concepts
at <a href="https://www.owens.edu/cgi-bin/courses.pl">O
BAN BPL! Keep the radio spectrum free fro
.... you say this [the above], the procede to make an argument based solely on funcitonality and support of software packages available. Do you have anything to back up your initial statement there, that non-Open software is somehow better for applications that require "security" (a vague term at best, in this context, I think - are you talking security against networked crackers, automated worm attacks, attempts to de-crypt encrypted data ... )? I'm not trying to "flame" you, but you don't support the your statement at all in your post, and I honestly can't think of an instance where proprietary or closed source software is "more secure" than F/OSS...
You should move to where there's a better community college - I think it may even be safe to use the word "most" when describing how many schools there are across the country now that are teaching Linux, FreeBSD, or both. Are you saying your school doesn't offer it, or that you can't take it for some other reason?
As a sidelight, note that many schools that have recieved endowments from M$ (thru one channel or another) have magickally dropped the course-work they once had that didn't require the purchase (at a student discount, of course) of M$ products - if that's what's going on at your school, you might want to address it with your administration - after all, when you're paying for an education, they're defrauding you if they don't give you what you pay for - regardless of what M$ is paying them (under the table) not to teach you....
Not sure just what sector of the real world you're talking about, here, but *I* won't hire you if you don't understand operating systems generally (we're talking critical embedded systems here - the stuff that's going to outlive the users who are thinking they need a "new" obsolete PC), and have some skill with anything that can be called one. "Platform Independance" and "Language Independant" aren't just test questions in the Real World outside Microsoft Applications Land - a rich and profitable land to be sure, but nothing grows there so all [brain] food must be imported, and life expectancy is pretty short generally due to contaminated memepools, rarified atmospheres, and the mind numbing depressions induced by the incredibly bleak cyberscapes...)
Anyway - all that said, I do agree with you about support for F/OSS - it is overall diffcult to access, often hard to understand, and generally just unusable for those who are not already to some degree techinical initiates. And that does need to change. Imo.
"The Internet is made of cats."
Why no mention of SE-Linux?
One agency study.
1.5 million dollars spent.
How much did the NSA spend developing SE-Linux?
Must have cost more than 1.5 million. And that is now at the core of Linux.
Yes many in the US Government are aware that Open Source software rocks.
Impeach the Liar
I know that there is a Stamford University, and everyone always jokes that it's for people who want to pretend they went to Stanford, but, this just makes things really confusing. The Register article says Coverity used a verifier from Stamford University, when really the program came from Stanford. In fact, AFAIK, UCONN-Stamford doesn't even have a CS department.
To quote the Wendy's commercial, "Where's the Beef?".
No seriously! Where's this article? I'd imagine three years and 1.25 million dollars would produce a hefty article. I'd love to give it a read! "US Department of Homeland Security has released a report on open source quality"- so where's the release?
It cites one or two figures, and throws around lots of buzz-words, but there's no comparison? No information? No study of reliability? Nothing at all.
PS: As a side-note, if they 'studied' 15 million lines of code over three years, and were able to identify defects, shouldn't we be seeing a nice patchset coming from Coverity sometime soon... Think about it. It's easy to tell someone else to fix it, but a good part of OSS is giving back.
when you see the word 'Linux', drink!
Reminds me of when as a noob, I reported an error in a man page to a project mailing list, hoping somebody close to the project might pick it up and fix it. Nah, the response was: OK, write yourself a new man page.
What project was it? Is it anything we care about?
How about linking to your 'bug report' so that we can see this supposed reply?
That attitude still pervades most OSS projects.
What OSS projects are you referring to? Not all OSS projects are equal. You are generalising.
What evidence do you have of most OSS projects having a bad attitude?
I'll probably be modded down for this...
The US Navy replaced Sun with Yellow Dog Linux, originally on Apple hardware and now on some other PowerPC based hardware, for sonar processing on subs.