Slashdot Mirror
LAMP Lights the OSS Security Way
Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"
Maybe I've been reading too much politics news lately, but I'm just waiting for Microsoft to come out with a statement that people capable of evaluating Perl, PHP, and Python are biased in favor LAMP solutions.
I need to do something about my cynicism.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
I'd love it if database management systems were compatible enough to allow that. The trouble is, it seems only the most basic query syntax has been standardized. Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.
The LAMP stack when broken down consists of:
Linux & Apache - rock solid stable releases.
MySql - Okay, getting better with each release.
P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?
Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Very Bad, and I have seen a US Defense - contracted software company (they even do helicopter systems) on their website extensively touting their 'lower defects per line of code (DLC)' methodology. Marketing.
Several other aspects, such as table creation, column types, auto-increment variables, and stored procedures, have varying degrees of differences or support between the various databases such that in any sufficiently complex application you would need to write a separate copy of db interface code for every DBMS that you want to support.
There are open (and closed) source products that have dealt with these issues for years. Modern ORMs products handle all of these matters, and automatically provide translation between portable query languages (such as JDOQL) and high-performance vendor-specific SQL depending on the database you deploy on.
It is astonishing to see these matters still being discussed as if no solution exists!