Bug Hunting Open-Source vs. Proprietary Software

PreacherTom writes "An analysis comparing the top 50 open-source software projects to proprietary software from over 100 different companies was conducted by Coverity, working in conjunction with the Department of Homeland Security and Stanford University. The study found that no open source project had fewer software defects than proprietary code. In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy. On the other hand, the open-source software was found to be of greater average overall quality. Not surprisingly, dissenting opinions already exist, claiming Coverity's scope was inappropriate to their conclusions."

not to mention...

[msh104]

that many of the bugs found by coverity have already been fixed.

Re:not to mention...

So who sponsered this FUD submission? Must be Microsoft.

Re:not to mention...

[Derkec]

And new ones have been added. In both the OS and Proprietary worlds, people make efforts to fix bugs and as new features are added (and bugs are squashed) new ones are added.

Picking a random day and testing two pieces of software for bugs on that day is reasonably fair. The following week both products will be better, but unless you're going to test constantly, picking the latest release as of some day is the best you're going to do.

Re:not to mention...

obviously you didn't read the article, nor do you know how to spell sponsored.

Re:not to mention...

[linuxci]

I hate reports like this, there's so many reasons that bug counts don't prove anything. This all reminds me of the times MozillaQuest used to delight in posting Mozilla bug counts as a measure of quality (now MozillaQuest doesn't seem to mention Mozilla anymore, but a good parody of their Mozilla reporting is here).

Now these days you often get studies claiming that proprietary software is less buggy than free software, but it misses some very significant points, the ones we used to respond to MozillaQuest articles still apply very much to today:

• Free software projects very often have an open bug database so it's easy to see how many open bugs are in a project, most proprietary software doesn't have an open bug database so you have to trust the manufacturer and your own testing
• Not all bugs in open databases are really bugs. Some are requests for enhancement, some are duplicates and some are rants
• In some cases one persons bug may be another persons feature (e.g. if an application does something differently to the platform guidelines, some people may like this alternative behaviour, others will consider it a bug).
• The profit motive - companies have a lot to lose by letting people know about bugs, volunteer led projects tend to want people to know about bugs in the hope someone will help fix them (this is getting a bit blurred now that more and more organisations are making money off free software but the fact still is with proprietary software you can't fix the bugs so they gain nothing by telling you about them)

Sorry if this is redundant, I'm working on call at the moment and was halfway through typing this when I had some work to do!

Re:not to mention...

I remember good old MozillaQuest, but you sholdnt have put a link to it otherwise google may give it a better page rank than it deserves.

Its quite funny to think the history of the site, it actually started off as pro-mozilla containing a number of articles about using xul and other mozilla technologies, it even had some of his articles listed on the pro-mozilla blog mozillazine, then after a while he became very critical about the whole mozilla process featuring bug counts and every article was a cut and paste of the previous one but witht the bug counts updated.

Then when Phoenix, Firebird, Firefox started to become popular then the site started to drift away from mozilla coverage (perhaps he liked firefox and decided he just didn't want to bother writing about it again). Now the site is more of a Linux review site, openly critical of US government policies (which everyone should be - it doesn't make you unpatriotic to question your government you know - saying you're either with us or with the terrorists is just crap).

Anyway, your right mozilalquest did pioneer the use of bug counts to make something look bad, despite the fact that manyt people refuted these comments mozillaquests arguments seem to now be used by other sources that should know a whole lot betters.

Re:not to mention...

[belmolis]

Coverity's study is based on their analysis of the code itself, not on bug reports, so the considerations you mention are not relevant.

Re:not to mention...

[linuxci]

I was guilty of just reading the summary and comments there and when I read them my immediate thought was 'MozillaQuest style reporting' so that's what I started writing about. Anyway, the report is just as flawed when you talk about code analysis. With free software you can analyse any of the code out there without permission, whereas with proprietary software you need to be given access to the code in the first place and then you'd have to be given permission to publish the results of the analysis. I mean there's not going to be any company that's going to hand over their code for analysis and then allow the results to be published without them vetting it first.

So basically any source code examined on the commercial side will have been done with full approval so in that instance it's still invalid comparison.

However, I do believe that automated source code analysis is a good idea as part of a strategy of producing solid code, but of course it should only be an addition to rather than a replacement of other quality control measures.

Re:not to mention...

Ok Bill or Ozzie, whoever you are shill :)

Smell Microsoft?

[schnoid]

I smell some Microsoft conspiracy behind this. :-P

Re:Smell Microsoft?

[canuck57]

I smell some Microsoft conspiracy behind this. :-P

Me too, as how can this statement even be verified:

The study found that no open source project had fewer software defects than proprietary code. In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy.

This might give a hint on what is up:

Working with the Homeland Security Dept. and Stanford University, my firm, Coverity...

The US government politicians control government, including Homeland Security, this we know and we all know of Microsoft soft and hard contributions to politicians.

But the key is in what Coverity is trying to sell, a code analyzer.

I guess we cannot blame Micro$oft (directly) for this, but their results on IIS and Outlook were suspiciously not posted. Or perhaps they didn't even look at Micro$oft? In fact, we don't know what commercial source it was compared to do we?

Another flawed and cooked report for sure. Certainly the "dissenting opinions already exist" link in the original post has more merit.

Re:Smell Microsoft?

> I guess we cannot blame Micro$oft (directly) for this
Or indirectly, or even mention them anywhere on the same page.

Just because something shows Open Source software in a bad light don't automatically assume that Microsoft is behind it.
I don't think Microsoft actually care that much about 99% of Open Source software out there. They probably even use a whole bunch in house.

There's a whole lot less conspiracies in the world than you think.

Re:Smell Microsoft?

[symbolic]

But the key is in what Coverity is trying to sell, a code analyzer.

I think they should release it as an open source project, so that we all can see how mny bugs *it* has.

So how did they test the proprietary software?

[pembo13]

I scanned through the article, it didn't seem to mention how they tested the top proprietary software. I can well understand that there are are a lot of bugs in open source code since it is written by humans. But human also right the proprietary code. How did they test it?

Re:So how did they test the proprietary software?

[msh104]

they tested it by using a program that systemattically scans code for common errors.

I don't know if the closed source statistics are online somewhere, but these are the open source statistics.
http://scan.coverity.com/

and if you ask me the "Defect Reports / KLOC" is pretty low, and such software would normally be considered "good" software.

Re:So how did they test the proprietary software?

[QRDeNameland]

Yeah, all I saw was the open source statistics as well.

Without seeing how the closed source apps were analyzed, the only conclusion I can reach is that automated bug detection finds more bugs when you have have access to the source code than when you don't. How surprising. Duh.

Re:So how did they test the proprietary software?

[pembo13]

The article was pretty clear on how they did the open source ones, but said nothing about how they did the closed source ones.

Re:So how did they test the proprietary software?

[chgros]

Without seeing how the closed source apps were analyzed.
They were analyzed the exact same way. The results are of course not public.

Re:So how did they test the proprietary software?

[chrisv]

So.... they've got a statistics page for their defect scanning tool. Which says that Subversion has 15 lines of code... umm, have they run their bug scanner against their own code? :)

Re:So how did they test the proprietary software?

[Fordiman]

If his scanner is well written, it's very likely that the specifications of 'common errors' should be available for audit. If not, this 'evaluation' is null data; we don't know what he's scanning for, and as such, we can't verify that his results are reproducable or balanced.

I call FUD, even if he's got good intentions.

Re:So how did they test the proprietary software?

[Wesley+Felter]

The same tool was used to scan the source code of all the software, whether open-source or proprietary. Obviously this requires cooperation from proprietary software developers.

Re:So how did they test the proprietary software?

[yuna49]

Why, "of course"?

Could they not have provided the same information for the proprietary programs they tested? Would the world have ended if we discovered that Word had 476 defects?

Hell, even the names of the proprietary programs they tested would have been an improvement. We're still left wondering if they're comparing Apache to some 20-year-old proprietary CAD program at Boeing where most of the bugs have already been hunted down. How is that relevant to business executives trying to assess the relative value of proprietary and open-source software for their companies?

Note that I'm intentionally begging the question of whether aggregate bug counts are a meaningful measure of software quality, which I'd dispute as well.

I'm especially sad to see articles like this, which is essentially a puff-piece for Coverity, get the imprimatur of a widely-read publication like BusinessWeek. This is the kind of article you can imagine some mid-level executive waving around when the discussion of open-source comes up at her firm. "See, open-source is buggy and you can't trust it. It says so right here in Business Week!"

Re:So how did they test the proprietary software?

[chgros]

Would the world have ended if we discovered that Word had 476 defects?
No, but Microsoft wouldn't have liked it (I'm not saying Microsoft was involved in any way, it's just to go with your example of Word)
There are those things called "NDAs" which prevent releasing this kind of data. We can't even tell you which companies were involved I'm afraid.

We're still left wondering if they're comparing Apache to some 20-year-old proprietary CAD program at Boeing where most of the bugs have already been hunted down. How is that relevant to business executives trying to assess the relative value of proprietary and open-source software for their companies?
A lot of software has been analyzed on both sides, and we're looking at aggregate data. You might say that the average target of open source (in terms of "expected quality") is different from the average target of closed source, but I don't think the comparison is fundamentally wrong.

whether aggregate bug counts are a meaningful measure of software quality, which I'd dispute as well.
It might not be directly proportional, but I think it's meaningful. And that's the data we have.

See, open-source is buggy and you can't trust it. It says so right here in Business Week!
I'm surprised how many people consider this is article as being so negative on open source. On the contrary it says that on average, open source is less buggy. Unless you only read the summary, which contradicts itself by saying that closed source is on average 5 times better than open source while open source is on average better than closed source.

Note: As you might have guessed, I work for Coverity.

Re:So how did they test the proprietary software?

[BarkLouder]

they tested it by using a program that systemattically scans code for common errors.

And we know that the results are accurate because their software had no bugs.

Re:So how did they test the proprietary software?

human also right the proprietary code

"humans", "write".

Re:So how did they test the proprietary software?

[mark.kofman]

There is also http://sourcekibitzer.org/ available with open source statistics. Its project base is oriented towards Java projects and is growing faster :)

What's a bug?

[BadAnalogyGuy]

Knuth used to have this great offer where he'd send you a check for pi or e or something if you managed to find a bug in his code.

Well, what is a bug?

I doubt he'd send me a check if I told him that TeX doesn't have an easily accessible iconic user interface. No, his concept of a bug is a deviation from the specified functionality.

But what if that functionality is wrong or sucks?

Apple does really well at creating functionality that doesn't suck. They suffer from the same problems of deviations from the spec as much as anyone, but they manage to mold their spec around what users want. Microsoft, to some extent, does the same and they release products that conform to what users want (generally) because they change the spec as necessary when customers demand change.

If you are implementing towards a standard (like most OSS projects with any traction are wont to do), then you are necessarily restricted by what that spec says. If the spec says to do something inane, the standard-follower must implement it that way.

I don't really have a point here except to say that unless they say "this is what we mean by bug", there can be no way to really examine their results.

Re:What's a bug?

[BobNET]

Knuth used to have this great offer where he'd send you a check for pi or e or something if you managed to find a bug in his code.

I think it was supposed to be a cheque for e^(i*pi) dollars.

Re:What's a bug?

[AJWM]

Knuth used to have this great offer where he'd send you a check for pi or e or something if you managed to find a bug in his code.

I think you're conflating two things. The check was (is?) for $50 or some such. The version number of the software is pi (or e) to whatever number of decimals, where each subsequent release adds a decimal place (becomes a closer approximation to the real thing.)

No, his concept of a bug is a deviation from the specified functionality.

That's the only reasonable definition of a bug in the software.

But what if that functionality is wrong or sucks?

Then that's a bug in the specification or in the requirements. I spent the better part of six months debugging the requirements on a major project once. Part of that was getting mutual agreement from three major customers, part of that was resolving internal inconsistencies in the requirements document, and part of that was a high level design process in parallel, to be sure we had a chance of actually satisfying the requirements.

Of course the end user (especially of off-the-shelf software) generally doesn't differentiate between a bug in the software vs a bug in the specification or requirements. The end user generally never sees the spec, and only has a vague idea of the requirements. (Sometimes worse than vague -- how many people do you know who use a spreadsheet for a database?)

(And to BadAnalogyGuy -- I'm not disagreeing, just amplifying.)

Re:What's a bug?

[tawhaki]

Knuth used to have this great offer where he'd send you a check for pi or e or something if you managed to find a bug in his code.

It is a $2.56 check. The reasoning for that was that it is "an hexadecimal dollar".

Re:What's a bug?

[Matt+Edd]

I want my 2e^(i*pi) dollars.

Re:What's a bug?

You do realize that e^(i*pi) = -1? :-P

Re:What's a bug?

[megaditto]

Your perfectly good joke is wasted given the literacy level 'round here...

Re:What's a bug?

[commodoresloat]

A little known feature!

Re:What's a bug?

[Profane+MuthaFucka]

Knuth sent off a binary dollar. $2.56. A lot of people consider the check worth more than that and never cashed them.

Re:What's a bug?

[mohjlir]

Knuth used to have this great offer where he'd send you a check for pi or e or something if you managed to find a bug in his code.

He still does this. He began writing checks for $2.56 (one hexadecimal dollar, in his words) to people who found errors in his books. They are a coveted prize in computer science circles. http://www-cs-faculty.stanford.edu/~knuth/faq.html

Re:What's a bug?

[dodobh]

Actually, 2.56 USD. 0x100 cents.

Re:What's a bug?

[maxwell+demon]

I think that's now called a Dobiar.

Re:What's a bug?

[quincunx55555]

No, his concept of a bug is a deviation from the specified functionality.

That's the only reasonable definition of a bug in the software.

I would disagree that it is the only reasonable definition of a bug. Aside from you already pointing out that if the design is wrong that is a bug in the spec or requirement, there is also the scenario of the software not meeting the customer's expectations. This is where it gets "variable" as some nut could expect your calculator software to play mpegs. However, if a significant* amount of the intended audience expects your word processor to be able to have a "save" feature, and it doesn't, then you have a bug (some would argue that it's a feature request, but if your software doesn't have a feature that everyone expects, it's a bug).


* Significant would be determined by the entity (person or company) creating the software. If they don't care that only three people use their software, and 997 out of 1000 expected the missing "save" feature, then 997 is not a significant number.

Re:What's a bug?

[AJWM]

What part of "bug in the software" didn't you understand?

If the requirements don't say "it must have a save feature", then that's a bug in the requirements, not the software. If the spec or requirement says "must have the usual features of a word processor", then that's close enough to specifying that it must have a save feature, since word processors are a fairly ubiquitous class of software. That's not good enough for more detailed requirements. (Save as a dump of memory? Save in a particular format? Which format(s)? etc, etc)

Expectations don't count unless they are in some way communicated to the software developers. If you're grabbing software off the shelf (or the download site), then it's up to you to determine if it meets your spec, not the software developer's.

How much is it really true?

[sandeepbansal]

Consider the case of open source software. An open source software is tested by a whole lot of people over the world and everyone is free to take the code and test if. On the other hand in case of proprietary software this is not the case and is tested by far less number of individuals. The true measure will come when a proprietary software which has been made open source is tested against an open source software and i can not think about any :( What do you think folks.

Re:How much is it really true?

[hkmwbz]

You are assuming that "a whole lot of people" actually check the code and submit patches for FOSS projects... My guess is that most testing, even of FOSS software, is done with the compiled program, not by reading the source code.

Re:How much is it really true?

[teg]

An open source software is tested by a whole lot of people over the world and everyone is free to take the code and test if. On the other hand in case of proprietary software this is not the case and is tested by far less number of individuals.

That sounds rather idealistic... The coverage on OSS varies a lot. Most is not tested much, and the testing is not systematic and analyzed, but ad hoc. And if a bug is found, many just shrug and think of it as buggy software, but don't do more about it. There is a world of difference between the high standards of large projects like the linux kernel, apache and eclipse vs. the thousands of small projects found on freshmeat or just googling for something to scratch your itch.

Re:How much is it really true?

[sandeepbansal]

I have been a part of the open source scene over a long period of type. Although automated softwares do exist for checking the code a lot of testing is also performed by going through the code.
And yes consider the scenario. You are a n00b developer wanting to do something. What do you do. You pick a piece of software (open source of course) and you go through it to get the basics of actually building the software. Now there are many n00b developers and they start with something and they usually pick a popular software due to this reason that popular software is studied by a lot of people around the world. And n00b developers are also capable of finding bugs. Aren't they?

They view point of many people may differ from mine. And yes i started with openssl :) as i needed to do it for a class project.

Re:How much is it really true?

[sandeepbansal]

I am not talking about those software. The software i am talking about are the really famous one like linux, kde, gaim you name them. And that's what we are considering here.
I do agree that a lot of OSS around the world are made as hobbies and are made to rot once the developer looses interest.

Re:How much is it really true?

[deesine]

Why are we only considering the really famous ones?

Re:How much is it really true?

[joto]

Nope. From my experience, here is what a "n00b developer" does:

1. Look at sourceforge, freshmeat, or somewhere you can find lots of different programming projects
2. Find something that every other "n00b developer" have started to work on, so there are about 200 non-functioning sourceforge projects trying to build the same kind of app
3. Start another project like the previous 200
4. Fail to do any better, and ask people to help contribute to your project instead of the 200 others
5. Forget about it after a few months, but never take down the webpage, so that this evil cycle can continue

Re:How much is it really true?

[angel'o'sphere]

Could not resist: What do you think folks. .... I think you don't know what a test is ;D and what testing means ;D
And for a software that can be considered closed and is now more or less open, at least open enough to follow your approach: Qt.

angel'o'sphere

P.S. software is not tested by numbers of individuals but by test cases, that are instruments of mesurement like a balance or a folding rule

Re:How much is it really true?

[angel'o'sphere]

And n00b developers are also capable of finding bugs. Aren't they?
No they are not to the extend of a experienced developt.
going through the code dow not find bugs. Either you do a formal correct approach, that is a walk through or a code inspection then you may find bugs, or you only have the chance to find occasional off by one errors in a loop or array index. Just by looking over code as you say in your n00b appoach you only find suspicious pieces of code.
What now? You change it to be less suspicious? And then? You commit it? So you don't know if somethign elsewhere is breaking now because of your change? Ah .... you have test cases for the software? So you run them after your refactoring? What now? All pass as before? Oops, if so: then you had no test case for that piece of suspicious code you just have fixed! So you still don't know if there was an error or not!

Testing means to DEFINE how individual pieces of code should behave and writing a test case exactly for that. Changing software and fixing bugs means to have tests, lots of tests, not eyeballs.

angel'o'sphere

P.S. that does not mean that formal walk throughs / inspections don't work, they do!! But informal ones are only for educational purpose intersting.

Re:How much is it really true?

[VisceralLogic]

How about Blender? I don't know what sorts of bugs it has, but it has gone from closed to open source.

Re:How much is it really true?

[maxwell+demon]

Maybe because for proprietary code you generally also don't consider some obscure one-man shareware project almost nobody has never heared of?

old rant?

[bogaboga]

In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy.

Isn't this an old rant? Sorry if I come out as a troll!

Horrible Comparisions

[Herkum01]

"Deanna Asks A Ninja: What is the circumference of a moose?!"

"It's michael pailum with his face in a pie times douglas adams squared."

This answer makes as much sense as the article.

Except "Ask A Ninja" made more sense. And was more accurate. And more entertaining.

Can I just get a Ninja hit out on this guy something so these articles will not make it slashdot anymore?

Re:Horrible Comparisions

Palium?

Someone needs to contact Python (Monty) Pictures Limited to get this spelling mistake fixed, and pronto!

How do they do this?

How do they find all bugs in a program? what's their secret? They have to ge really great debugers... I think this kind of conparasions is hardly never accurate, May be in open source projects the kind of bugs is diferent... Depending on how you program you make one kind of mistakes more than others, Does someone agree?

Re:How do they do this?

[someone1234]

They can easily find bugs in an open source program. Go to its bugzilla page and list the bugs.

Number of Bugs vs Bug types

[Alien54]

The problem is that there are different types of Bugs. things like a typo in a help file, or American spelling vs British spelling, vs a bug were the app crashes the system when installed on a system with an early version of Quicktime are clasdsified differently.

The summary just says all bugs, which is not fair if the proprietary has 5 times the number of critical or super-critical bugs.

Re:Number of Bugs vs Bug types

So, you think Coverity's automated application has magical software that detects typos in help files?

Re:Number of Bugs vs Bug types

[LetterRip]

Coverity scanner only checks for programming errors. Ie things that cause crashes, etc.

However as others have pointed out they are comparing mission critical software to non mission critical software. What should have been done (as has also been pointed out) is to cluster by usage case or software field. So databases to databases, browsers to browsers, generic office usage to generic office usage, etc.

LetterRip

Re:Number of Bugs vs Bug types

[IWannaBeAnAC]

Why not? A spelling check over a help file would be very easy to do.

Re:Number of Bugs vs Bug types

[Vo0k]

jet engine control to... uh, xgalaga?

Re:Number of Bugs vs Bug types

[marty-heyman]

I couldn't agree more. But it's really only interesting if they stop grandstanding and compare comparable products. In our case, Coverity shouldn't make any statements about Open versus Closed source unless they have some degree of comparable data for OpenLDAP versus Netscape/Red hat, Sun, IBM, CA, Novell, and Oracle (at a minimum) Directory Server products. Comparing the bug level in OpenLDAP to that of a Jet Engine control program is not only misleading (because they don't give you a measure of the cost per thousand lines of code to achieve the defect level) but irrelevant because people evaluating Directory Servers don't care what the defect level is in some other irrelevant discipline's closed soource code.

I find it unacceptable that they publish all this pretty, and generally positive, information about which projects in Open Source they scanned and then draw conclusions without telling the reader which non-Open Source Code they're comparing it to. One suspects, in the dark of night and in a paranoid frame of mind, that they're comparing to what Homeland Security COULD give them which is stuff nobody's much heard of and no Enterprise would think of deploying. Just s suspicion but one that's left on the table by the one-sided reporting.

Re:Number of Bugs vs Bug types

[Alien54]

I was merely trying to give examples of bugs which are probably cosmetic issues (fit and finish stuff) vs those which have slightly more destructive consequences. Old slow systems would expose race condition errors that were not visible on newer systems, for example.

The example of quicktime is relevant, since early versions (say, up to about v4) would create weird crashes and conflicts under windows with some software which were not present when later versions were installed. You could go nuts trying to track the bug down and duplicate it, unless you spotted this. The correct fix was a note in the readme to have Quicktime up to date, even if the product did not use it.

Re:Number of Bugs vs Bug types

[metalmaster]

Its not just that though. Whwn bugs are found in open-source software they can be easily dealt with. If a bug is found within proprietary software you'd have to wait for the next patch or update...and that can take time.

Exactly what constitutes a software bug?

[dapsychous]

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks. If a computer can ascertain exactly what the programmer intended to do, why do we need programmers?

The simple answer to this is that they can't. That's the point behind hiring human codeslingers to write applications. Considering that most software bugs are logic bugs (off by one, etc) that can't be directly seen in the code without actually, you know, RUNNING the program, I find it difficult to believe that AI has come to the point where it can guess the coder's intentions and infer the purpose of an application.

Additionally, where exactly did this proprietary code come from? I don't know which companies these programs were released by, but other than the SharedSource initiative which mostly caters to programming students (if they still even have this program), Microsoft would call their next o/s Windows Sh*tburger (I think I'll trademark that) before they would release their code, especially to a third party consulting firm.

I find this article highly suspect

Re:Exactly what constitutes a software bug?

[dgatwood]

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks. If a computer can ascertain exactly what the programmer intended to do, why do we need programmers?

Security holes. Coverity specializes in programmatic detection of buffer overflows.

On a related note, as a programmer, I find open source software much more valuable than closed source because WHEN (not if) I find a critical bug, I can usually fix it myself instead of being dependent on someone else. I would GLADLY pay more for proprietary software to be able to get the source code along with it, even if I had to sign a nondisclosure agreement to get it. Nothing annoys me more than having to wait for somebody else to decide that my problem is important enough to fix. To -me-, it is the most important problem in the software.

Re:Exactly what constitutes a software bug?

[dgatwood]

Security holes. Coverity specializes in programmatic detection of buffer overflows.

Oh, and I forgot some of the other obvious things you can check for: unreachable code, comparisons that always evaluate to true or false, possible uninitialized use of variables, global and/or heap storage of pointers to variables on the stack.... There are a lot of things that are usually unsafe to do and are usually bugs. It is usually too slow to check for this stuff during compilation, as it requires at least some degree of static (and possibly dynamic) function call tree analysis.

Re:Exactly what constitutes a software bug?

[angel'o'sphere]

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks. If a computer can ascertain exactly what the programmer intended to do, why do we need programmers?

Decimal one = 1;
Decimal two = 2;

one.add(two);

System.out.printline(one);

Guess whats printed? Similar errors are made if you use methods on java.lang.String like replace(pattern, replacement, pos).

The simple answer to this is that they can't.
Thats a very uninformed oppion! Tools like http://pmd.sourceforge.net/ have a data base of over 100 "bug patterns" to check your code againt. That does not mean all found points are truely positive, but thy definitely are bad coding practice and my end in a bug later if the code gets changed. There are lots of simialr tools, check IBMs alaphaworks and developerworks e.g.

angel'o'sphere

Re:Exactly what constitutes a software bug?

[ClosedSource]

"That does not mean all found points are truely positive, but thy definitely are bad coding practice and my end in a bug later if the code gets changed."

All changes to code have the potential to introduce a bug. Sorry, but non-conformance with "best practices" is not a bug.

Re:Exactly what constitutes a software bug?

[EvanED]

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks.

A *LOT*. The existance of bugs such as buffer overflows PROVES that the "standard debugging and compile-time checkes" are insufficient.

CCured found bugs in a couple different applications. Three separate programs in the SPECINT benchmark set (compress, ijpeg, and go) had bugs. In SPECINT! Probably one of the most heavily analyzed programs ever -- people have been known to tune their programs to perform particularily well on those benchmarks.

CQual found several unchecked dereferences of user pointers in the Linux kernel (2.4 at the time) and device drivers. Which, btw, could have been used as, say, a priviledge escalation mechanism. One of the drivers had just undergone a security audit specifically looking for user/kernel bugs and passed. Linus's Sparse does the same sort of thing as CQual.

Microsoft's Static Driver Verifier found a race condition that could have led to a bug check in the parallel port driver that had been there for years. (Granted, the set of circumstances required to trigger it are absurdly remote, and require removing the physical port form the computer (perhaps by removing a laptop from a dock) at the same time you're doing something else.)

Fact is that there's a LOT that can be detected statically that programmers get wrong.

Re:Exactly what constitutes a software bug?

[EvanED]

BTW, in full disclosure, CCured isn't a static analysis tool per se, and may have required running the programs to find the above bugs. But without the instrumentation CCured they would have gone undetected.

Another paper from UC Santa Barbra and (I think) the Technical Institute of Vienna used static analysis of compiled code (not even source!) to try to determine if a kernel module was malicious. (In this context, "malicious" means that it acts like a rootkit; in other words, if it modifies internal kernel data structures that don't belong to the kernel module itself.) They tested 7 rootkits and the entire driver database that comes with Red Hat. Their tool god a perfect detection rate -- no false positives, no false negatives. (The paper does have some issues -- like how did they pick the rootkits they tested, did they analyze them and then build the tool or the other way around, are there other rootkits they didn't test, how easily would it be to make a kernel module that would pass their test, etc., but it does provide a demonstration of the sort of power that static analysis can give you.)

Re:Exactly what constitutes a software bug?

[EvanED]

There's a difference though between "a code change can break the code, despite the surrounding code's quality" and "the surrounding code is very brittle; tread lightly." Stuff like "check preconditions of functions, especially if they are on a module boundary" are important and should be present. It's the idea of failing early. If I pass you bad data, and you fail in an assert, that's good; if I pass you bad data, and you corrupt your internal variants and continue running for a while, that's bad. Functions that can't trust their input and yet don't verify it are brittle.

Code like

int A[SIZE];
memset(&A, 0, SIZE);

is brittle. If the first line is changed to

int* A = malloc(SIZE * sizeof(*A));

the second line breaks. Better is to have

memset(A, 0, SIZE)

. In the first case it does the same thing, and in the second case doesn't break.

Re:Exactly what constitutes a software bug?

[ClosedSource]

The real problem with the code you used an example is that the programmer who changed the first line did so without adequately studying the existing code. Future bug insertion can't be prevented by anyone except the individual guilty of it.

A bug is something that causes a program to work incorrectly. It has nothing to do with mistakes that may be made later in other software releases.

Re:Exactly what constitutes a software bug?

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks.

Please, please tell me you aren't involved in any way in software development. Your question is so utterly cluless and betrays such a fundamental lack of understanding that you couldn't possibly grasp the answer without tremendous efforts being expended.

Re:Exactly what constitutes a software bug?

[angel'o'sphere]

The real problem with the code you used an example is that the programmer who changed the first line did so without adequately studying the existing code.
No, thats not the real problem.
The real problem is: a standard C compiler will compile that bullshit without any notice.
And the second problem is: its hard to write a test case for something like this, as it is common/more easy to write test cases for entire functions and not some few lines of code in the middle of them.
Thats why "code pattern finders" are used to find code that looks dangerous ... nevertheless, as I stated in my previous post, dangerous looking stuff mihgt be just ok.

angel'o'sphere

Re:Exactly what constitutes a software bug?

[ClosedSource]

God forbid that anyone would have to recognize a problem without the help of the compiler, or write a test case outside the comfortable confines of the unit testing frameworks that are currently in vogue.

Re:Exactly what constitutes a software bug?

[dapsychous]

In light of the replies to my statement, I would like to concede the point. It's been a long time since I've written any meaningful code, and appearently I'm a little rusty.

Re:Exactly what constitutes a software bug?

[51mon]

Hehe, surely the main difference with free software is you can run a similar quality tool over the source code, and know if the programmers involved sorted these kind of defects, or even just look it up at Coverity.

So you know if the program you are using is better than average or not.

I was actually pretty encouraged, I have Linux servers, running Apache, and Postfix, with Postgres backends, and Perl front ends, with a little PHP. Authentication via PAM.

When I looked at my deployed base of software, I'm seeing a lot of code with zero defects detected remaining (okay, a lot of them probably haven't been upgraded for reasons of system stability, if these fixes didn't make Debian stable, and I suspect a lot won't because they aren't that important).

Of course I know they are low defect products, that is why I chose them (without Coverity's help I might add). This leads the main security issues being my programming skills in creating web applications, and utilities. You don't need to use units as big as "per Kloc" when measuring my defect rate.

We also run some servers with Windows, IIS, various COM objects, and I can only assess the quality by how the software behaves, i.e. bugs affecting functionality, on that basis the equivalent proprietary software sucks in comparison, but is very clearly getting better recently. Of course these numbers say nothing directly about functionality issues, but I think experience tells us there is some correlation, otherwise how did I end up with so many low defect applications?

As others observed the published data speaks volumes more than the commentary. Since code can't have negative defects.

What no "qmail" statistics? Given Wietse noted some of the Postfix "defects" were false positives, I suspect it would cast more darkness than light, but hey they should test it just so we have something else to bitch about next week, now we've covered vi versus emacs.

Of course Emacs biggest defect is I don't have time to relearn how to use it, and that sort of defect wasn't covered either.

Re:Exactly what constitutes a software bug?

[angel'o'sphere]

Hehe,

no one argues to find a bug without any tool, jusgt with your eyes, even without knowing ther is one, just by looking at the line and saying: "wow, that can't be right!".

If you can do that in your favourite language, fine!! I only say:
a) its not very time effective
b) some people can't!
c) some people think they can but in fact they can't (because certain stuff they simply don't know)
d) teaching this ability is hard, time consuming, or simply does not happen, people learn it in an autodidact way so an organization does usullay nothave enough such people.
e) the core problem remains: did you have a test case before you change it? Do you write a test case now? Everyone knows that changing code is dangerous, as you might have side effects, the less test cases you have the less likely it is to even notice the side effect.

So, your aproach is just fine, but it is no viable approach on the large scale, nor is it cost effective, nor gives it any guarantee to find a problem, especially it obviously is not possible for you to find a problem where you have no clue for what to look, e.g. if you don't know what a buffer overflow is, you wont look for (possible or true) buffer overflow situations.

Even worse: when you learn about buffer overflows you have to recheck all the code you already have checked, with that new bug pattern in mind, while with a tool you just change the pattern database and let it chek all code again.

angel'o'sphere

Re:Exactly what constitutes a software bug?

[synthespian]

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks?

How about run-time errors?

just an example of how "buggy" OSS software.

[msh104]

as scanned by coverity.

linux 2.6: 3,315,274 lines of code, 0.138 / 1000 lines of code.
kde: 4,518,450 lines of code, 0.012 bugs / 1000 lines of code.

based on this I would say we are doing pretty good with open source.
but we shouldn't forget that this tool only scans coding errors, not coding logic.

wine for example only has 0.112 / 1000 lines of code as well.
and we all know it by far doesn't always do what we want it to do. ;)

Re:just an example of how "buggy" OSS software.

> wine for example only has 0.112 / 1000 lines of code as well.
> and we all know it by far doesn't always do what we want it to do. ;)

Well duh! It is an implementation of the Windows API. And when considering how often the WinAPI does what you want, I think they have made a perfect copy.

Re:just an example of how "buggy" OSS software.

[Reziac]

Quoth the poster:

linux 2.6: 3,315,274 lines of code, 0.138 / 1000 lines of code.
kde: 4,518,450 lines of code, 0.012 bugs / 1000 lines of code.

So far so good! But for contrast, I'll add this stat from TFChart:

Gnome: 31,596 lines of code, 1.931 bugs / 1000 lines of code.

Eeeep!!

(No wonder I prefer KDE :)

Re:just an example of how "buggy" OSS software.

[Mad+Merlin]

Wine is more incomplete than buggy. It can run all sorts of outrageously complicated Windows software rather well (Microsoft Office and Lotus Notes, for example), but some other applications will use things that simply aren't implemented yet and thus you really end up with a hit or a miss situation without much in between.

Re:just an example of how "buggy" OSS software.

[ClosedSource]

This is the problem with a lack of formal requirements. If the requirement is to run all Windows applications properly, than not doing it is a bug. If the requirement is to run a specific subset of Windows applications, than it's not.

Of course, if the problem is that Wine is not finished, than it should be label as a work in progress rather than a finished product.

Re:just an example of how "buggy" OSS software.

[AJWM]

wine for example [...] we all know it by far doesn't always do what we want it to do.

Sounds like a pretty fair emulation of Windows to me. ;-)

Re:just an example of how "buggy" OSS software.

[tawhaki]

wine for example only has 0.112 / 1000 lines of code as well. and we all know it by far doesn't always do what we want it to do. ;)

That's the problem. In order to do what we want it to do, it probably has to increase the bug count absurdly.

Re:just an example of how "buggy" OSS software.

[ArsonSmith]

May be more bugs but at least it isn't a 4.5Million line bloated piece of crap.

Re:just an example of how "buggy" OSS software.

Of course, if the problem is that Wine is not finished, than it should be label as a work in progress rather than a finished product.

What is this finished product of which you speak?

Re:just an example of how "buggy" OSS software.

[ClosedSource]

Almost any video game created during the "classic" period.

Re:just an example of how "buggy" OSS software.

Hmm, I guarantee that Gnome has a lot more code than that!

Re:just an example of how "buggy" OSS software.

"linux 2.6: 3,315,274 lines of code, 0.138 / 1000 lines of code.
kde: 4,518,450 lines of code, 0.012 bugs / 1000 lines of code."

I'm surprised at how few 'bugs' were found in Linux.
Kernels are not written in the same way as other software. They do things to memory and hardware that would be considered dangerous, if not obscene, if attempted by a userspace application.

Re:just an example of how "buggy" OSS software.

[Reziac]

No doubt (come to think of it I've seen a figure up in the 4M lines area) ... maybe the autochecker got overwhelmed already and quit :)

Re:just an example of how "buggy" OSS software.

[Breakfast+Pants]

Perhaps their scanner can't detect bugs in C++ code as well as it can plain C.

Re:just an example of how "buggy" OSS software.

[ScepticOne]

You mean it's a bloated piece of crap implemented in fewer lines of code?

Re:just an example of how "buggy" OSS software.

[AVee]

Or perhaps coding in C++ is just a far better idea then coding in plain C? It may be rare, but sometimes the new thing is just better then the old one...

Re:just an example of how "buggy" OSS software.

[maxwell+demon]

Of course, if the problem is that Wine is not finished, than it should be label as a work in progress rather than a finished product.

That's what a version number beginning with a 0 generally tells you. Wine is currently at 0.9.22, so expecting a finished product isn't reasonable.

Re:just an example of how "buggy" OSS software.

[Mad+Merlin]

Of course, if the problem is that Wine is not finished, than it should be label as a work in progress rather than a finished product.

For a piece of software that was in alpha for over 10 years and only within the last year finally reached beta, I think it's sufficiently known as "not finished yet".

Re:just an example of how "buggy" OSS software.

[ClosedSource]

I don't know the details because I have no interest in it. Given it's unfinished state, it seems inappropriate that it is recommended so often as a viable alternative to using Windows.

Re:just an example of how "buggy" OSS software.

[Mad+Merlin]

So because Wine is only known to work with many Windows applications and not *all* Windows applications, it's not suitable to use for any Windows applications? By that logic, Windows 2000/XP aren't suitable replacements for Windows 98 because they're not compatible with *every* application that Windows 98 is.

Re:just an example of how "buggy" OSS software.

[ClosedSource]

"So because Wine is only known to work with many Windows applications and not *all* Windows applications, it's not suitable to use for any Windows applications?"

As you well know, that's not what I said. I think it makes sense to say Wine allows you run Windows applications x,y, and z. It doesn't make sense to claim it's a general replacement for Windows.

Re:just an example of how "buggy" OSS software.

[Mad+Merlin]

I never said it was a general replacement for Windows and neither did anyone else in this thread.

Most software needs can be filled by native applications for Linux, but for the odd thing that doesn't have a native application, Wine can usually be used to fill that hole. That's what I say, and that's what I see most other people say.

Re:just an example of how "buggy" OSS software.

[ClosedSource]

I never said you said ... oh forget it.

It's very common on Slashdot to read that wine is the solution for running Windows applications on linux without mentioning any limitations.

Re:just an example of how "buggy" OSS software.

Crap to some. Gold bars to others.
Somebody upset that their not a billionaire?

my open-source project was scanned by Coverty...

...and while it is on the list on the web page, I was happy to determine that most of the issues they found were false alarms. They found three real bugs, none of which were likely to bite, and even if they did bite it is not exploitable. Nonetheless, those bugs probably wouldn't have been found otherwise, so I was happy for the scan.

Rather than brag (I won't say who I am or the name of my project), I'm just going to sit back and read all the defensive flames from self-appointed "security experts" whose open-source project didn't do so well. After all the flames from these "security experts" that I've endured, I'm going to enjoy watching them squirm.

It's karma.

Why is this surprising?

[Chairboy]

Why does this surprise anyone? Propriety software traditionally undergoes a formalized, designed testing process. It's not perfect, but it's an ordered approach to boundary testing, design level implementation of quality, and more. Open source software must rely on after-the-fact testing in the form of "this broke when I tried to do this".

In the end, it comes down to black box vs. white box testing. Commercial software has a strong QA engineering component. Open Source software relies primarily on a black box testing approach.

Open source has MANY benefits and MANY advantages over commercial software. This just doesn't happen to be one of them, but unlike the commercial software, the bug fix cycle on open sourced stuff can be a LOT quicker, so it evens out in the end.

Re:Why is this surprising?

[ammoQ]

Proprietary software is, more often than not, driven by market pressure and release dates that must be met, no matter what the QA department says.

Re:Why is this surprising?

[tb3]

Are you nuts? Or are you just trying to see how many vapid over-generalizations you can jam into a single comment?

Propriety software traditionally undergoes a formalized, designed testing process. It's not perfect, but it's an ordered approach to boundary testing, design level implementation of quality, and more.

Says who? QA and testing covers the entire gamut, from formalized unit-testing at every level, to 'throw it at the beta testers and hope nothing breaks'. it's got nothing to do with 'proprietary' (not 'propriety') vs open source.

Open source software must rely on after-the-fact testing in the form of "this broke when I tried to do this".

Where on Earth did you get that? Are you completely oblivious to all the testing methodologies and systems developed by the open source community? Here's a few for you to research: JUnit, Test::Unit, and Selenium.

Commercial software has a strong QA engineering component. Open Source software relies primarily on a black box testing approach.

Again with the generalizations! Commercial software development is, by definition, proprietary, so you don't know how they do it! They might tell you they have a 'strong QA engineering component' (whatever that means) but they could be full of shit!

Re:Why is this surprising?

You've obviously not worked at a company producing proprietary code...

Re:Why is this surprising?

[westlake]

Proprietary software is, more often than not, driven by market pressure and release dates that must be met, no matter what the QA department says.

and an open source project is never under pressure to get something out the door?

Re:Why is this surprising?

[canuck57]

Why does this surprise anyone? Propriety software traditionally undergoes a formalized, designed testing process.

Not always. Perhaps some companies do but it is far from a universal practice. More the common practice is to whip it out as fast as possible and patch it later. Even if a company has a QA, they are often just documenting the bugs found for future releases. Understaffed and politically managed developers may take years to fix issues. This is very common and I suggest the norm in business grade software.

Most seasoned systems administrators with a software development background know which companies tend to be better and worse. And it is no different with Open Source, some projects are better than others.

Re:Why is this surprising?

[fahrbot-bot]

Propriety software traditionally undergoes a formalized, designed testing process. It's not perfect, but it's an ordered approach to boundary testing, design level implementation of quality, and more. ... Commercial software has a strong QA engineering component.

I think the other replies to your post were pretty spot-on, so I'll just summarize them here:

Man that was funny! I laughed and laughed...and so did the Software and QA Engineers at work.

Re:Why is this surprising?

[ms1234]

The bugs not caught by the QA is caught by the customers and hopefully are reported back to the company as a bug which is either resolved and patch is issued or a workaround is made ("it's just a feature") and it gets put on a fix list and it gets fixed in .. X years?

Re:Why is this surprising?

[alphamugwump]

Actually, yeah. It's just that they don't have to heed it.

Re:Why is this surprising?

[tricorn]

It's even simpler than that. The "high quality proprietary software" that they're looking at is going to be specialized software, running on well-defined hardware, with all components completely specified (operating system, if any, library, compiler). It isn't going to be written to be as flexible as possible, able to be compiled for 10 flavors of Unix/Linux/Mac/Windows, using ANSI and non-ANSI compilers and a variety of standard libraries on 8 different processor families, with different endian and word sizes. It isn't going to have compile-time enabling or disabling of the various features that different people think are important to have or are not important enough to compile in. It isn't going to have support for multiple languages, multiple time zones, alternate collating sequences. It won't have a configuration file that can drastically alter the way it works, with several levels of defaults, working in multiple "standard" file-system layouts.

It is probably going to be a program that has been in use, mostly unchanged, for many years. It is going to have a very specific set of well-defined operating characteristics. The level of complexity in operating modes and interactions between components in the product will be low. It also won't have a lot of people clamoring for new and changed features, so it will be stable.

Now, there are going to be some Open Source programs with similar characteristics. However, you won't find them by scanning the "50 most popular" ones.

That's not even considering that they're only looking at suspicious code that might cause clearly undesirable behavior. They aren't looking at ALL if the software actually does what it is supposed to do, or doing it in a considerate manner (considerate to the end user, that is). If the program fails to save my file in certain circumstances because it didn't set a flag in the right place, their checks won't find it, yet that could be as disastrous to me as the whole program crashing on a null pointer dereference. Similarly, it isn't going to see that the auto-pilot function will cause the aircraft to suddenly engage reverse thrusters when you cross over the North Pole, for example, nor is it going to notice that the stupid VCR firmware cancels the program if I don't turn power off in time instead of starting to record even though it is 5 seconds into the show.

Re:Why is this surprising?

[dbIII]

Propriety software traditionally undergoes a formalized, designed testing process.

While open software undergoes peer review often in addition to a formalised, designed testing process. You forget that a lot of open software is written by people who want to get a paticular job done well without completely reinventing the wheel. Some of the same QA people can end up testing non-proprietry code.

Personally the biggest problems I have with some proprietry software is abandonware and lack of support. I dislike paying a few thousand a year for specialised printing appications that will only work from a 256 colour display or the alternative from another vendor that hasn't had a patch for eight years but still has bugs. It's also annoying to find a showstopping error that prevents the application being used at all that can be fixed by changing a single line of code (parameters to pass to on another application) which isn't fixed for six months due to THE programmer going on holidays for a few months and then dealing with the backlog (this was software from a company with more employees than Microsoft).

Misquoting TFA

[Harmonious+Botch]

While I appreciate that PreacherTom was good enogh to bring this to us, the sentence "...no open source project had fewer software defects than proprietary code." just does not match TFA.

TFA says that no open source project is as good as the BEST of proprietary, but it also says that the AVERAGE open source is better than the AVERAGE proprietary.

Re:Misquoting TFA

[sensei+moreh]

"...no open source project had fewer software defects than proprietary code." just does not match TFA. AMANDA,emacs, ntp, OpenMotif, OpenPAM, Overdose, Postfix, ProFTPD, Samba, Subversion, tcl, Thunderbird, vim, XMMS all now with 0 defect reports/KLOC. That must match the best closed source software!

Better than average

The open-source development community must first graduate from Lake Wobegon University, where all of their software is just above average

This article is about how apache is more buggy than control software for a jet engine. Yes, I hope that's true. Maybe open-source is not better than the BEST stuff out there right now, but they say it explicitly -- its better than your average proprietary package.

Not quite...

[Timothy+Brownawell]

The study found that no open source project had fewer software defects than proprietary code. In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy. On the other hand, the open-source software was found to be of greater average overall quality.

No, *popular* open-source software is 5x as buggy as *safety-critical* closed software. The linked dissenting opinion is at least partly right; they're comparing apples to oranges.

Maybe they should try comparing open- and closed-source software that's actually trying to solve the same problem? That'd be a bit more valid of a comparison...

Re:Not quite...

[Toon+Moene]

> Maybe they should try comparing open- and closed-source software that's actually trying
> to solve the same problem? That'd be a bit more valid of a comparison...

The obvious thing is to compare compilers. Throw random input at them and see how they cope.

Re:Not quite...

[maxwell+demon]

I guess all compilers will quickly stop with "syntax error", "parse error" or similar if you throw random input at them. It's highly unlikely that this way you'll trigger a bug in the compiler even if the compiler is very buggy.

And even more dissenting opinions

[Jimmy+King]

Well, the article with some arguments covered one thing I was going to mention, there's a big difference between software to control jet engines or nuclean powerplants and software to be used as an office suite or the like. Of course there will be quality differences between those as bugs in one can likely kill people where as bugs in the other probably won't. They have different levels of allowable bugs and required quality. The other thing which was not mentioned in the second article was this. What were the bugs and how quickly are they fixed? Having the same amount of bugs or even more bugs may not be a problem if those bugs are mere annoyances rather than something that can cause you to lose hours of work or security holes which can cause you to have secure information stolen or be used to attack someone else. How fast the bugs are fixed also matters. What if one piece of software has only 3 bugs but they take 2 weeks each to fix whereas another piece of software has 8 bugs of similar urgency to fix but has each of them fixed in only 1 or 2 days? Which is the better software in this case? Now maybe these things were taken into account, but the article certainly didn't make it clear to me if they were or not.

Re:And even more dissenting opinions

[gnasher719]

I'll add a dissenting opinion - not that these guys are wrong, but that whatever they are publishing is pointless.

First, some kinds of software have harder requirements. Live critical software will have fewer bugs. That is just caused by the fact that there is zero tolerance for the slightest possibility of a bug, so there is hundred times more time invested in each line of code. Lets say it takes you two hours to write some code at reasonable quality. Your boss says: That's fine, but we must have a one hundred percent guarantee that this code is bug free. So he gives you five weeks time. Unless you are a complete moron, five weeks will be enough time to make it bug free. On that scale, Microsoft can deliver a bug-free Vista about two years before the sun turns to a supernova.

Second, automated tools don't find bugs, they find things that look suspicious to the tool. If you are used to some tool finding suspicious code, you will stop writing code that the tool finds suspicious (which will include quite a few bugs). You will have just as many bugs that don't look suspicious to this tool as you had before. As a consequence, the tool will find lots of suspicious activity in code written by people who never used this tool - if they were good programmers, very few of the suspicious activities will actually be bugs.

Third, testing doesn't find certain bugs. An example that actually happened to me: I forgot to initialise a variable. The code could not possibly work unless the variable was initialised to zero - but the testers didn't find a bug. Investigation showed that the code was called from three places, and looking at the assembler code, in each case the register holding the variable was actually passed in as zero by coincidence. Clearly a bug, but on the assembler level there was no malfunction, and therefore no user visible bug that testing could have found. Of course, just changing the compiler could have made the bug visible.

Re:And even more dissenting opinions

[maxwell+demon]

On that scale, Microsoft can deliver a bug-free Vista about two years before the sun turns to a supernova.

Given that the sun will never turn into a supernova (it's just not heavy enough for that), what does this tell us about Microsoft? :-)

Actually

[YetAnotherBob]

the report (carried by Business Week) said that the Porpriatary software that beat out the open source stuff was avionics software or controls for reactors or other heavy industrial software. That stuff is all small, done in assembly, and extensively tested.

It was not an apples to apples comparison, more like apples to diamonds. Dom't worry, just fix any real problems identified. Many of the bugs found are theoretical, not real. Many others are style questions. the experts will probably never quit arguing about what is 'good' and what is 'bad'.

There are also some very real race conditions, memory leaks, and things like that. A real list by line number would be nice.

That said, what would really matter is a comparison program by program. I don't think my quick and dirty one off is really in the same class as the Kernal, or Firefox,I havn't seen how this diferentiates.

Re:Actually

It was not an apples to apples comparison, more like apples to diamonds.

Exactly. I'm including 100% bug free open source code, free/Free. No planes crashing here, baby!

---CUT---8<---HERE---
#!/bin/bash
clear
echo "You can scan all you want but there are no bugs here!"
echo ""
echo "I am adding next line to make this program even more complex, \
for a good measure."
echo ""
date ; uname -a
echo ""
echo "And then, even more, with some loops!"
echo ""
        for i in `ls /usr/`
         do echo $i
         echo ===============;
        done
echo ""
echo "Isn't this as good as proprietary code that controls jet engines?"
echo ""
echo "I thought so."
echo ""
echo "Have a nice day!"
CUT---8<---HERE

Re:Actually

I'll post this anonymously with respect to my employeer. I work for a company that develop avionics software. And I have to disagree with you that the programs used are small and written in assembler. Most of our software is rather large and is written in C.

We have no real QA, but when we create software for new aircraft types they are always tested and certified by appropiate authorities, e.g. the authority responsible for air traffic control. That may explain that in those software programs we have NEVER found any bugs. I find rather interesting, because there has to be some bugs damnit!

Well anyways, just wanted to give you all an insight in how we work when we develop our avionics software.

Re:Actually

[maxwell+demon]

I've found a bug in your code. Since it's Free, it should run on about any Posix system (at least you didn't give any specification saying otherwise). Your program, however, fails to run on systems which don't have /bin/bash.

Suggested fix: Change the first line of the script to #!/bin/sh

Looking again, I see a possible second bug: AFAIK there can be limitations on the length of the argument line, and expanding ls /usr/ may get larger than this length.

Suggested fix: Use xargs with nested shell invocation (sh -c) instead.

Ok, so depending on if I'm right on the second one, you have either one or two bugs for your 21 lines, or 47.619 bugs/KLOC resp. 95.238 bugs/KLOC. I really hope the jet engine control code is better! :-)

Open or Closed ?

[quiberon2]

Open-source software is expensive if you want a commercial support contract (because you are asking a professional to spend a lot of time learning).

Closed-source software doesn't have the function that you want, and you cannot fix it to add the funcion that you want.

You pays your money and you takes your choice. You can always stick to pencil-and-paper, and not use this 'software' stuff at all, if you prefer.

Re:Open or Closed ?

[canuck57]

Open-source software is expensive if you want a commercial support contract (because you are asking a professional to spend a lot of time learning).

How is this going to be different say for any new commercial or open source product a company has or is about to get? Learning in I/T is a given (unless you want to be RIFed or outsourced) or only hire chair mushrooms. But in any case, learning challenges follow both open and closed source.

Closed-source software doesn't have the function that you want, and you cannot fix it to add the funcion that you want.

Mind you, you did hit on the big advantage of closed source, you cannot practically change it so irrational management can't push you into the "Whirlpool of death by uncontrolled customization" that can occur. But the flip is you are at the mercy of the company you deal with, including their aquistion costs, being aquired by someone else, support pricing, new learning employees etc., you must expect "vendor lockin".

It was about mision-critical software

[rduke15]

The article makes it quite clear that the proprietary software which is much better that open source is mission-critical software. A class of software where ensuring minimum bugs is a top priority, and also a class of software which mostly does just not exist in OSS. If you are an OSS developer, would you try to develop open source air traffic control software? And even if yes, how would you do it anyway?

Basically, my own conclusion from reading the article was that it IS possible to write excellent software with very few bugs, if that is a top priority. And, that the author seems to say that while mission-critical software (which happens to be proprietary) is fortunately much better than the rest, among all that other non-mission-critical software, open source tends to be better than proprietary.

Not surprising, and quite encouraging...

Re:It was about mision-critical software

[quiberon2]

If I was implementing air traffic control software under contract to someone who had some air traffic to control, then yes, I probably would open-source it.

I wouldn't allow 'community' to alter the codebase directly; but I would have a 'reader comment' process; and if someone wanted to use my software to make an open-source air-traffic-simulation game, that would be fine by me.

Really, the software has no commercial value in itself. You need an airport and some planes to control, before there's any value.

Re:It was about mision-critical software

[jimicus]

I was right with you until this point:

Really, the software has no commercial value in itself

The software may have no commercial value, but the ability to support it certainly does. By open-sourcing it, anyone could set up a business selling and supporting the software, which would undermine the business plan of the company which wrote it in the first place - and you'd probably never get any significant community contributions because not many people in the community need to built a mission critical air traffic control system. Think Nessus and the reasons they gave for closing the source..

Re:It was about mision-critical software

[Peter+La+Casse]

In addition to this, it would be great if there were high-quality open source air traffic control software that anybody (with an airport) could use. Once such software achieves critical mass, overall safety would improve (or would be less expensive). This is the same reasoning that leads people who implement new network protocols to use the BSD license: they want their code to be in widespread use. Similarly, people who implement safety-related software want people to be safer.

Re:It was about mision-critical software

If you are an OSS developer, would you try to develop open source air traffic control software?

That's a very interesting question, and there are a lot of areas that OSS has gone into (specialized hardware + functions, robotics, etc) that normal OSS devs don't get to tread in because they don't have the environment or experience... How does one get into that sort of thing?

Re:It was about mision-critical software

[AlgorithMan]

that's an important point, since developers of mission critical software spend BIG MONEY on testing and bughunting
extremely mission critical software (nasa, hospitals) even is (at least partially) PROVEN to be correct via hoare calculus http://en.wikipedia.org/wiki/Hoare_logic or similar methods

Re:So how did they test? -- badly

[AJWM]

they tested it by using a program that systemattically scans code for common errors.

A method known to have flaws. It raises a ton of false positives, things that might "look like" potential bugs but aren't because of the data flow. You have to do a data flow analysis to see if they really are bugs.

For example, not checking for buffer overflows when copying strings, etc, is usually considered a (potential) bug. Certainly it is when dealing with unknown input. However, in a function buried deep behind layers of other code that has already filtered out potentially overrunning strings, it is quite safe. (At least until said code is changed, so it is considered bad practise, but the fact remains that if there's no data path that can cause a problem, it's not a bug.)

Mind, there's bugs and there's bugs. The Space Shuttle software is generally considered to be about the most defect-free software around, but they'll launch with some bugs. Specifically, minor bugs in the display (ie a misspelled word, a column that doesn't quite align) are allowed because they're a much lower risk than going in and changing the software to fix them (and possibly introducing a different bug).

Strange comparison

[kirun]

This article focuses on the result that aerospace, financial and telecoms proprietary software has items in it that get better "quality" scores than any open-source package they tested. This is expected - if your average package crashes, no-one dies. If your plane's software crashes, so does the plane.

It also notes that average open-source beats average closed-source.

So, it tries to ask the question: "How do we make open-source stuff as good as aerospace quality?", but comes across as being more controversial than it needs to be.

Some automatic bug finding

[jchenx]

I figured I should chip in, since I'm a Dev that works in QA.

Somebody please explain to me exactly what kind of software bug can be found by automatic scanning that isn't found by standard debugging and compile-time checks. If a computer can ascertain exactly what the programmer intended to do, why do we need programmers?

Well first of all, you have to assume that all programmers even do the "standard debugging and compile-time checks". Even then, those checks are often hardly comprehensive. You can build some scanners that will catch rudimentary bugs that SHOULD have been caught, but were not. For example, assign things to null, test boundary conditions, etc. These are all things that should be part of a standard unit test that's delivered along with the code.

Also, things like memory leaks can be difficult to pinpoint. That's where tools like BoundsChecker are nifty.

Considering that most software bugs are logic bugs (off by one, etc) that can't be directly seen in the code without actually, you know, RUNNING the program, I find it difficult to believe that AI has come to the point where it can guess the coder's intentions and infer the purpose of an application.

No one is saying that a program or "AI" (as you call it) can find all bugs. But it can certainly be used to find some rather simple ones. Overall, though, I agree that you can't depend on running programs to catch bugs. You've got to have a solid QA department, which will use all the right tools to get the job done and try to maintain quality to the highest degree.

I'm not saying that OSS can't do this at all. I certainly think it can be done, but it does take more process and structure. Not having worked on any OSS projects myself, I imagine the largest, most important code-bases have a lot of this in place to drive quality. But your smaller or even mid-size OSS projects may be lacking in that department (much in the same way smaller and mid-size dev houses lack a decent QA department).

How many times?

In fact, the analysis demonstrated that proprietary code is, on average, more than five times less bug

You'd think just being one times less buggy would be enough.

Re:How many times?

[maxwell+demon]

No, a negative bug rate is much better, because it means in order to get your code bug-free, all you have to do is to introduce enough new bugs, which should be easy. :-)

I will bestow more wisdom upon this forum

[The_Abortionist]

It should come as no surprise that people here cannot accept the results of any study that shows concrete flaws in the open source software philosophy.

However, what this article says can only make sens.

Developping software is much more than coding. There is planning, designing, testing, etc involved. It's a whole organisation that requires a lot of organising. Open source people only put emphasise on the coding aspect, because that's what they care about most. Hence the result is often applications that look like crap, are difficult to use, are not documented and crash on startup 50% of the time.

In the end, the last bit of testing is always done by the user. I call it the test of time. This part of the software development cycle happens too early with open source software, almost all the time.

Of course, I am talking here of community developped software, not software where the company releases the source. Opening the source in itself is immaterial to the source.

Even worse.

[khasim]

He's comparing "bugs" in a project such as Apache with "bugs" in the software controlling a jet engine on an airplane.

He refuses to accept that different projects have different requirements. When the project results in people dying if it fails, you spend a LOT more money and time finding all the "bugs".

When the worst that happens is that you don't see a web page, your money/time requirements are not so high.

Even so, from his finding, Open Source is, on average, better than the closed source projects (not counting the closed source projects that result in loss-of-life in the event of a failure).

He's an idiot for confusing the different requirements.

Re:Even worse.

[phantomfive]

Don't listen to the slashdot summary. It's terrible. The author is not against open source, he talks about the "brilliant open-source community."

What this guy is trying to say (besides 'buy my software') is that open source can do better (the title of his article is "...what open-source developers can learn....."). He wants people to use stricter development practices; things like automatic testing, nightly builds, etc.

Furthermore, he is probably right, automatically testing code ala j-unit or cpp-unit is a great idea when you are getting contributions from many different people. If that became common practice in the open-source world, the code quality would improve. He's not saying open-source is bad, he's saying it could get better.

This guy is not an idiot, you just didn't understand his point.

Re:Even worse.

[linuxci]

He's comparing "bugs" in a project such as Apache with "bugs" in the software controlling a jet engine on an airplane.

He refuses to accept that different projects have different requirements. When the project results in people dying if it fails, you spend a LOT more money and time finding all the "bugs".

Yeah, back in the day a failure in apache could result in loss of life if you were the sysadmin for a .com company back in 2000 and the webserver died just as the CEO was showing some potential investors the site.

I miss those money for nothing days :)

Re:Even worse.

[rduke15]

He is not confusing anything. You obviously didn't read the article.

The idiot here is not the author of the article...

Re:Even worse.

[dkf]

If [automated testing] became common practice in the open-source world, the code quality would improve.

Trust me, it would help a lot if more closed-source software also did automated testing. I've seen a fair bit of closed code in my time (unfortunately under a Non-Vomit Agreement) that was a disgusting hairball and would have benefitted not from being made open, but from being buried at an unmarked rural crossroads with a stake through its heart.

The many-eyeballs approach doesn't guarantee good code (alas!) but it does stop at least some of the worst practices.

Re:Even worse.

[phantomfive]

Yes there is some terrible proprietary code out there, but that was not my point. My point was that open-source code CAN improve with automated testing, and really there is no reason not to do it. That some proprietary code is uglier than open source is not important; what is important is that we can improve. Pointing fingers will accomplish nothing, we can do little to improve their code, but we can improve our own code and here is a way.

Re:Even worse.

[kz45]

"The many-eyeballs approach doesn't guarantee good code (alas!) but it does stop at least some of the worst practices."

This is not true.

The following are examples: Open Office, oscommerce, and mysql. All are fairly popular in the open source community and each one's sourcecode is a complete mess (oscommerce especially).

Open source can actually increase messy code, because not everyone follows the same practices. At least with proprietary software, it is usually written by the same X amount of people (X=number of people working on the project).

Re:Even worse.

[cloricus]

I don't want to sound like I also missed the point so I'll say clearly that I'm in favour of automated testing. I just wanted to note that your assumption that closed code is often written by the same bunch of people. While this seems to be the case it often isn't as companys simply don't care about their coders and will turn them over almost monthly if they see need. Many of the closed source industry specific programs at my workplace have whole areas that they refuse to fix because they simply don't know how it works as the coder who did it is long gone. A great example I read yesterday in the world of EVE is that they wanted to use the billboards system for ads and other interesting ingame content but realised that they simply had no idea how to use it and in reality didn't want to try as breaking it would cause havoc - the coder who did it is long gone.

So I think that opensource is on par with the closed source world on this one with both about as likely to clean up differing code as each other...Then again with opensource at least you can pay a 3rd party firm to do it for you.

Re:Even worse.

[MikeFM]

I think the obvious point is that open source is a process which is evidently working since we have these independent third parties donating help to find and fix these bugs in the open source software. Yes, you may find bugs in the open source but then you are finding and fixing the bugs in the open source. It's a matter of time before the open source has fewer bugs.

Please find and report bugs whenever possible. Fix some bugs if you can. This is the process that does make open source better in the long run.

Re:Even worse.

Furthermore, he is probably right, automatically testing code ala j-unit or cpp-unit is a great idea when you are getting contributions from many different people. If that became common practice in the open-source world, the code quality would improve.

I don't entirely agree. Especially many of those code-coverage tools are so bad you waste so much time hunting "imagined" bugs that not using them will help code quality much more (unless you assume unlimited developer time resources ;-) )

Re:Even worse.

"The following are examples: Open Office, oscommerce, and mysql"

Specially OOo is in fact a case in favour of open source avoiding worst development practices. Just remember all that messness came from the days when OOo was not Open Source, but privative. From that day the codebase has been cleaner (at least *now* you can point it with your finger and say boo-hoo).

meaningless, no data, and probably biased

[oohshiny]

The selection of programs from the two populations of programs (open source, proprietary) are not going to be comparable: vendors of proprietary software have a say over which code gets scanned, and they are going to select a different population of programs than the company selected for open source projects. This isn't a fixable problem: there is no way of doing this sort of study so that you can compare the two data sets. The best they could do is compare something like OpenOffice against Microsoft Office, or Apache against IIS.

Furthermore, Coverity simply cannot accomplish what they claim to accomplish: there is no way of detecting "bugs" automatically--if there were, compilers would already be doing it. Coverity effectively does little more than compare code against a set of internal coding conventions; that can be useful if it's done right, but it's not a measure of code quality. Some completely correct code will score thousands of violations against their tool, while other code may contain thousands of bugs, none of which register. Furthermore, it is likely that a lot of their customers are Windows based and that Coverity is biased towards Windows-based coding conventions, giving more false positives on non-Windows code. Before publishing such comparisons, Coverity first would need to demonstrate that their tool does not contain such biases.

Finally, and perhaps most importantly, the company isn't publishing its data, so nobody can verify or even evaluate their claims. Not only do they fail to publish their raw data (obviously, they can't do that for proprietary software), they also fail to list their summary statistics by vendor and project (which they could, but obviously won't do). They don't even give a summary statistic by class of application, class of organization, and code size. Their results are meaningless because they're not reproducible.

These numbers tell you nothing about FOSS code quality relative to commercial code quality. What they tell you is that Coverity apparently doesn't know how to do statistics, misrepresents what their product can do, and doesn't know how to report experimental results properly. Now, do you want to put your trust in such a company?

Re:meaningless, no data, and probably biased

[jimicus]

Furthermore, Coverity simply cannot accomplish what they claim to accomplish: there is no way of detecting "bugs" automatically--if there were, compilers would already be doing it.

You can't detect bugs with 100% certainty by definition on any Turing machine, but you can certainly detect code which may result in unintended behaviour. Run lint against a bunch of source code and you'll see what I'm talking about.

Re:meaningless, no data, and probably biased

[phantomfive]

Or instead of guessing, you could read the article. They didn't keep the bugs secret, they showed them to the open source teams. They have helped reduce the bugs. You can see what they have done with some projects at http://scan.coverity.com/ and you can furthermore read the report by going to the link on the left hand side of the page. Registration is required, but you will get a lot of other reports as well.

Re:meaningless, no data, and probably biased

[dkf]

As a member of one of the OSS teams contacted, most of what Coverity found in our project were not actual bugs but rather places where the software wasn't smart enough to guess the preconditions on a function right. So they were more places where ill-advised maintenance might well have introduced a bug in the future. (Maybe the other spots were also like this, but we decided to clarify the code in all places anyway so the coverity problems were all cleansed.)

It should, however, be remembered that coverity does not and cannot find all bugs. It is just a more advanced form of Lint that catches a class of errors that is otherwise annoying to track down; a nice extra tool, not a magic bullet.

Re:meaningless, no data, and probably biased

[Ivan+the+Terrible]

there is no way of detecting "bugs" automatically

You are wrong. Check the literature on automated testing.

if there were, compilers would already be doing it

You are wrong. There are dozens (hundreds?) of companies selling software that does what compilers don't do.

Re:meaningless, no data, and probably biased

[EvanED]

Furthermore, Coverity simply cannot accomplish what they claim to accomplish: there is no way of detecting "bugs" automatically--if there were, compilers would already be doing it.

Why do you say that?

I can point you to a number of papers that talk about tools the authors developed that have found a number of bugs in the Linux kernel code base (specifically unchecked user pointer dereferences in the kernel, all exploitable for, say, priviledge escalation, and one of which that had just passed a security audit specifically looking for those bugs), in the SpecInt test suite, in the standard MS-built drivers that come with Windows, that detect whether kernel modules are rootkits or not (at least somewhat; I don't know how much trust I put into that paper), etc.

You're right that you can't have a tool that detects all bugs. But at the same time, there's a TON that can be done in terms of bug hunting that compilers don't do. To say otherwise just demonstrates that you don't know what you're talking about. Perhaps because compilers haven't picked up the analyses that are done by these tools, perhaps because it doesn't really belong in the compiler, I dunno. Probably the latter, because they can produce a lot of false positives.

(I should make two disclosures. First, the bit about the user/kernel pointer bugs required source modification of the kernel to annotate sources and sinks of user pointers. All-in-all, there were under 300 annotations in the whole kernel. That said, this was done at the time of the 2.4 kernel. By now 2.6 may already have the annotations in place in the vanilla kernel. You still need an external tool -- Linus's Sparse -- to check them. (Sparse also requires annotations of EVERYTHING, unlike CQual, which is the one that only needed the 300. So I don't know if the __user annotations are complete. Probably by now they are. The tools are of the same power though once you get those in.) Second, the tool that found the SpecInt benchmarks isn't a completely static-analysis tool. It does static analysis to find where insert runtime checks to guarantee memory safety, but you'd actually need to run the programs though their paces to discover them. That said, these are benchmarks that have been analyzed to death before they got to them, and the bugs hadn't yet surfaced.)

Re:meaningless, no data, and probably biased

[l33td00d42]

You're right that you can't have a tool that detects all bugs.

But you guys would be surprised at how accurately tools like Coverity can predict the overall bug density of a large project. Just as some example numbers, if the Coverity folks find their tool finds 30% of bugs and their tool finds 30 bugs in 50,000 lines of code, the actual number of bugs is going to be near 100. It's called statistical inference. ;)

Re:meaningless, no data, and probably biased

[ClosedSource]

"So they were more places where ill-advised maintenance might well have introduced a bug in the future."

That was exactly my point in a previous post. There are a million ways that "ill-advised maintenance" can insert bugs, so it's not clear if analyzing and potentially modifying code based on one of these automated scans is an effective use of scarce programming resources. Each code modification is also an opportunity to insert a bug as well.

Re:meaningless, no data, and probably biased

[oohshiny]

They didn't keep the bugs secret, they showed them to the open source teams.

But they did not publish the proprietary source code, a list of bugs in the proprietary source code, or even the identity of the proprietary source code. Since their point concerns the relative performance of open source and proprietary code, therefore, they did not publish the relevant data.

Or instead of guessing, you could read the article.

Are you pretending that the incomplete information they published is complete because (1) you don't know any better, or (2) because you actually know better but have a stake in the company?

Re:meaningless, no data, and probably biased

[oohshiny]

You are wrong. Check the literature on automated testing.

Automated testing finds some bugs, not all bugs.

In order to support the kinds of conclusions that these people are drawing, they need to find all bugs, or at least, they need to find a representative sample of bugs consistently in different code bases. They certainly don't do the first, and they have failed to show that they're doing the second.

Re:meaningless, no data, and probably biased

[oohshiny]

I can point you to a number of papers that talk about tools the authors developed that have found a number of bugs in the Linux kernel code base. [...] But at the same time, there's a TON that can be done in terms of bug hunting that compilers don't do. [...] Perhaps because compilers haven't picked up the analyses that are done by these tools, perhaps because it doesn't really belong in the compiler, I dunno. Probably the latter, because they can produce a lot of false positives.

There are plenty of tools that produce lists of bug candidates, some of them very useful. But that kind of software is not useful for comparing software quality: finding 500 bug candidates in one piece of software and 100 in another with one of those tools tells you nothing about which one is buggier because you don't know the rate at which those bug candidates turn into true bugs. Furthermore, you don't know the rate at which those tools have false negatives. Both those rates depend on many factors, including coding style and problem domain.

To say otherwise just demonstrates that you don't know what you're talking about.

Actually, the problem is really just fuzzy thinking and fuzzy terminology on your part.

Re:meaningless, no data, and probably biased

[oohshiny]

But you guys would be surprised at how accurately tools like Coverity can predict the overall bug density of a large project. Just as some example numbers, if the Coverity folks find their tool finds 30% of bugs and their tool finds 30 bugs in 50,000 lines of code, the actual number of bugs is going to be near 100. It's called statistical inference. ;)

Yes, and what's missing from Coverity's report is the data and analysis to support those statistical inferences. Not only is the data missing, there is no indication that they have actually done the proper analysis in-house.

Re:meaningless, no data, and probably biased

[oohshiny]

but you can certainly detect code which may result in unintended behaviour

Yes, you can. But those kinds of detectors are not useful for comparing software quality, at least not without a lot more statistical analysis, which is missing from Coverity's report.

Run lint against a bunch of source code and you'll see what I'm talking about.

There are many essentially bug-free pieces of software I have that lint gives thousands of errors on. And I've checked in plenty of buggy code that passes lint. Tools like lint can be useful, but using them as a measure of software quality is inappropriate.

Coverity's customers probably have near-zero Coverity errors, but that doesn't make their code bug-free. Conversely, TeX sources compiled into C probably give lots of Coverity errors, yet TeX has a very low bug density. Coverity's report is biased towards making them look good, and that's probably deliberate.

Re:meaningless, no data, and probably biased

[phantomfive]

True, my mistake. Didn't notice that they didn't publish the closed source ones.

Nice way to generate publicity

[wannabgeek]

This is just smart marketing. Imagine they put up a survey that did not make any controversial claims (something like, open source and proprietary software are comparable), then would that generate as much heat? Now many people hear about the company because more people talk about this now than if the survey said something less controversial.

Now to compare every open source software application to aerospace software is really comparing apples to oranges. There is a big difference in the expected quality between an editor and an aerospace application. It's alright even if my editor crashes once in every 20 times I invoke it. Is that acceptable with an aeroplane?

I'm sure the folks at Coverity understand all this. But if they really speak what is right, they will not get all the eyeballs and publicity. In classic slashdot lingo:
1. Do something (anything) that involves open source and proprietary software
2. Make claims that sound outrageous / controversial
3. Profit! (with all the free publicity)

Proprietary vs Open Source

[Shadyman]

It's not that OS may or may not have more bugs, it's that we can actually FIX them. Proprietary bugs are at the company's discretion.

A bug can be many things

[jchenx]

I work at MS. In my group (and I imagine it's the same in others), a bug can be many things. Here's what they typically are though:

1. A product defect
   - This is the typical meaning behind the word "bug".
   
2. DCR (Design Change Request)
   - That's where your TeX complaint would fall under. It's "by design" that it doesn't have an iconic user interface, but that doesn't mean it's something that shouldn't be addressed ever
   
3. Work item
   - This is actually a result of the bug tracking system that we use. Rather than sending e-mail, which often gets lost, we often track work items as bugs. For example, "Need to turn off switch X on the test server when we get to milestone Y"
   

To further complicate things, there is a severity and priority attached to every bug. Severity is a measure of the impact the bug has on the customer/end-product. It can range from 1 (Bug crashes system) to 4 (Just a typo). Priority is a measure of the importance of the bug. It ranges from 0 (Bug blocks team from doing any further work, must fix now), to 3 (Trivial bug, fix if there is time). (I don't know why the ranges don't match, BTW, seems silly to me)

As anyone who works on large-scale project probably knows, there are always a wide range of bugs, across all the pri/sev levels. To me, a simple count of all the bugs isn't terribly useful. A project could have a ton of bugs, but most of them being DCRs (which are knowingly going to be postponed till the next release) and/or low pri/sev bugs. Or maybe it's the beginning of the project and they're all known work items. Or a project could have only a few bugs, but with all of them being critical pri/sev ones.

So, whenever I see a report that simply talks about bug count, I take it with a huge grain of salt. If I had to guess (I skimmed the article), it seems like OSS projects have far more bugs, but perhaps lower pri/sev since the product itself has been evaluated as being higher quality. In the end, it's the quality that the customer really cares about.

Re:A bug can be many things

Microsoft probably changed their standard to "better fit users needs" as an earlier poster put it, and changed 0 indexing to 1 indexing, but, as always, they couldn't change everything to the new model because then they'd lose backwards compatability and that's not what the user wants :D.

Sounds like typical Microsoft to me! - Indexing inconsistancies, talk about a source for bugs.

Re:A bug can be many things

[Hathor's+Dad]

"To further complicate things, there is a severity and priority attached to every bug. Severity is a measure of the impact the bug has on the customer/end-product. It can range from 1 (Bug crashes system) to 4 (Just a typo). Priority is a measure of the importance of the bug. It ranges from 0 (Bug blocks team from doing any further work, must fix now), to 3 (Trivial bug, fix if there is time). (I don't know why the ranges don't match, BTW, seems silly to me)" Just a guess but is it multiplication? Like golf the lowest score gets the prize? (ie: the lowest score = x 0). Hence they 2nd numbering system starts @ 0. HTD

Re:A bug can be many things

[PianoComp81]

To further complicate things, there is a severity and priority attached to every bug. Severity is a measure of the impact the bug has on the customer/end-product. It can range from 1 (Bug crashes system) to 4 (Just a typo). Priority is a measure of the importance of the bug. It ranges from 0 (Bug blocks team from doing any further work, must fix now), to 3 (Trivial bug, fix if there is time). (I don't know why the ranges don't match, BTW, seems silly to me)

This sounds similar the ClearQuest database we use where I work. A bug has High, Medium, or Low priority, usually assigned by the technical managers (i.e. those who know how the system should work for our customers, but also have to report to upper-management on the status of the product). Bugs marked as "High" are worked off before Medium and Low bugs. Then there's the Severity rating (we have 5), such as Bug Crashes system, there are work arounds, the bug's a typo, etc. This is determined by the person who found the bug.

It allows for finer-grain of rating a bug: what do the system engineers and technical managers think about the bug, and what do the software developers, testers, etc. think about the bug. If you have good communications, then it works really well and the critical bugs get worked off making both the software developers & testers as well as the technical managers happy (and thereby upper management assuming it doesn't set the product back a few months).

If you notice, Bugzilla even has a Severity and Priority field. It seems that this system of two different types of "priorities" works well for many different types of people.

Re:A bug can be many things

[jchenx]

If you notice, Bugzilla even has a Severity and Priority field. It seems that this system of two different types of "priorities" works well for many different types of people.

I'm guessing that this system has existed for a long time, and from a field that was not in the software industry. It's just a good way for a product team of anything, to determine the right priority order of working on tasks.

misleading summary

[pikine]

From the summary:

In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy.

From the article:

In our research using automatic bug-hunting technology, no open-source project we analyzed had fewer software defects (per thousand lines of code) than the top-of-the-line closed-source application. That proprietary code, written for an aerospace company, is better than the best in open source--more than five times better, in fact. That company's software won't let you down when you're flying from New York to London.

In other words, they're comparing the best proprietary code---in this case some aerospace controller program---with the best open-source code. Of course, we would expect the controller program to be more closely scrutinized. There hasn't been life-and-death deployment of open source software nor a need for it.

On the other hand, the article doesn't clarify whether the top quality proprietary software can be purchased by a consumer. I'm guessing these programs are generally not available to personal computer users because of their highly specialized nature (e.g., running a nuclear power plant or jet turbine engine).

Lies, damned lies, and statistics

[Ibag]

If you look at the summary, you come to the conclusion that proprietary software is five times less buggy than open source. It is also unclear how software can have five times as many bugs but be of higher quality. However, if you read the article, you find:

In our research using automatic bug-hunting technology, no open-source project we analyzed had fewer software defects (per thousand lines of code) than the top-of-the-line closed-source application. That proprietary code, written for an aerospace company, is better than the best in open source--more than five times better, in fact. That company's software won't let you down when you're flying from New York to London.

If we ignore that the automatic bug finding algorithms might not be a good measure for anything, we have a few issues with the summary. The richest american is twice as rich as the richest Swiss man. Does it follow that Americans are on average twice as rich as Swiss people? No. In the same way, the statement does not imply that the average open source software has five times as many bugs as the average proprietary software does. The coding practices of mission critical apps like flight control systems are different from those of most of the industry, and it is almost wrong to lump them together with everything else.

The problem with statistics is not that they give an inaccurate picture, or even that selecting the right statistics can give a skewed picture, but that people who don't appreciate what statistics actually give use them to form opinions, make decisions, and summarize articles. Statistics don't lie, but the people who misreport them do, even if they don't realize it.

Re:Lies, damned lies, and statistics

[hyc]

Expanding your post... they're fairly specifically holding up a single piece of software in the aerospace industry, as the cream of the crop, and comparing it to everything else. That's what we call an outlier, skewing the results. A good analysis discards outliers and uses what's left. We already know that the "average quality" of the OSS projects is high; without that outlier it's probably no contest. (Just guessing, not having seen their closed-source data.)

The other thing that's obviously intentionally slanted here - many of the OSS projects on their list show zero bugs per 1000 lines. Obviously we can't do better than zero bugs, so saying "no open-source project we analyzed had fewer software defects (per thousand lines of code) than the top-of-the-line closed-source application" is pure spin.

We can just as easily say "15 of the top 60 OSS projects have zero bugs, but only *one* of the closed source projects could match that." Ultimately the numbers here are meaningless, so it's best to just not play this game.

What would be more interesting to me is a metric of time-to-solution, after a bug has been reported. The current coverity scan isn't set up to measure that accurately, because it doesn't notify anyone on the project when a scan completes and finds any bugs. So unless you check their web site very frequently, you won't know what it found.

how did they get access to the proprietary code

[rs232]

"Propriety software traditionally undergoes a formalized, designed testing process"

You're kidding right, what about that US university booking that wouldn't accept applications from 'overseas' students with addresses in the UK. Or the Airline Radio system that borked every 2^32 millisecs seconds when a 32 bit buffer cycled round to zero.

"Open source software must rely on after-the-fact testing in the form of "this broke when I tried to do this"."

"Open Source software relies primarily on a black box testing approach."

You've got that the wrong way round, closed source is the blackbox.

Re:Why is this surprising?

Re:how did they get access to the proprietary code

[jimicus]

You've got that the wrong way round, closed source is the blackbox.

In testing terms, "black box" and "white box" have specific meanings which aren't in related to how open the source code is.

http://en.wikipedia.org/wiki/White_box_testing
http://en.wikipedia.org/wiki/Black_box_testing

Both forms of testing can be applied to both open and closed source projects (after all, all projects have source code, the only difference in this context is if the source code is available to the general public). However, it's probably reasonable to say that the majority of open source software doesn't get much white box testing,

That wouldn't work for him.

[khasim]

He's selling a service/product ("bug" scanning).

If you required that he match the apps/categories, then he wouldn't be able to match aircraft software to any Open Source project. Without the highly tested, life-critical proprietary apps, his case would collapse.

Which is why he only differentiates based upon "proprietary" or "open".

Re:So how did they test? -- badly

[fatphil]

The '11 of the top 15' is also grossly misleading. There were twice as many proprietory projects as OSS projects - you'd expect them to take 10 out of the top 15 slots. Deviation by 1 from that is lost in the noise.

I agree with your analysis - I've been on the fixing end of a lot of these kinds of reports, and have known that the flagged error can never occur, but the linting nazis insist that there must be zero warnings at any cost.

I thought Voyager was the ultimate in stable code, not the space shuttle?

FatPhil

Re:So how did they test? -- badly

[fatphil]

According to http://scan.coverity.com/ , subversion has 15 lines of code.

That's a bug, surely. Hypocrites!

FatPhil

Mod parent up! Good QA can come from anywhere

[jchenx]

I happen to work in QA for a very commercial software firm (MS in fact, although it's in the games group). I agree whole-heartedly with your comments.

Commercial software has no "lock" on QA. Good fundamentals can be practiced anywhere. And I've certainly seen many testers coming from other commercial firms that have no idea what it does to be a good tester. (Definately instances of that in MS as well, we're a very large company)

I think the only difference "commercial vs OSS" has on QA is perhaps the environment that you're in. OSS projects can benefit from generally being smaller, so they can be more agile, try better software engineering methods, etc. On the other hand, it naturally can take a lot longer to change a larger, commercial firm, away from traditional the waterfall model, etc. On the flip-side, commercial firms benefit from just being able to spend more money: hiring more testers, doing more formal usability studies, etc. Larger OSS projects probably don't have problem recruiting good talent, but I imagine the smaller ones might. Of course there are always exceptions to the above generalizations, and I am in no way trying to say that one is necessarily better than the other. (And I could be wrong about some of them as well, I have not contributed to any OSS projects myself)

But to generalize that commercial software always has a stronger QA engineering component than OSS is bull.

Maybe I'm Misreading this

[pugugly]

But as I read it - they didn't audit the proprietary code base - they counted the errors found, per 1,000 lines of code, and errors fixed.

Now, if Open source is better at finding more subtle errors, even if it fixes them, doesn't his methodology penalize OS code against proprietary code where they didn't find and correct the error in the first place?

Pug

Open source, easy to find and evaluate

[NonViviDaSola]

Open source software, it's easy to find and it can been downloaded and evaluated on the spot. When looking through commercial software I get frustrated with the difficult to search marketing material, the lack of fully functional downloads, and limited documentation before purchase. Open source, on the other hand, can be easily found by searching sites that do a lot of the indexing work for you such as SourceForge.net and all the documentation is readily available as plain text or HTML. Obviously, this does not apply to all commercial and open source software. I've seen a lot of good and bad on both sides.

This is basically nuts

[vtcodger]

What they seem to have done is run a bunch of software through some sort of automatic bug checker that may or may not be a a pile of manure, identified the "best" product which chances to be what the military would call mission critical proprietary software. Then they proclaim that open source isn't as good (Duh) and doesn't meet their high standards.

What they have not done is compare comperable projects -- IE to Firefox, Open Office to MS Office, Windows to OS-X to Linux-KDE. There is, as far as I know, no Open Source software product that is really intended for mission critical applications -- I guess maybe SSH might qualify, but I don't see it in their list.

So, I think what we have here is a comparison of Apples to Turnips using a dubiously calibrated error-o-graph machine that uses an unknown technology to perform undefined tests on software.

Don't get me wrong. I sure as hell wouldn't run a nuclear power plant with Linux-X-Windows-whatever. Nor with Windows -- neither Windows 9 nor NT based Windows. They don't meet my admittedly subjective standards of quality either. But if we waited for near perfect software quality, we'd still be trying to get text mode right. Personally, I 'd vote for that because I think building major structures on weak foundations will likely lead to big trouble a decade or three out, but I think I'd lose that vote about 93 to 1 with maybe 6 abstensions.

Re:my open-source project was scanned by Coverty..

[stevey]

I have audited many many programs. Never once have I been ignored, or had to argue the case for anything I found and reported.

Still I know its not easy to write secure code, even with my auditing experience I've still released code with exploitable holes. You need to get everything right every time, the attacker only has to find one hole to take over...

Bugs in Code

The more lines of code the more bugs it will naturally have, cannot be helped. People spend time working on fixing said bugs, some slip through nonetheless, some are hard to replicate some are glaringly obvious. A Typo in a message for the user, is annoying and while easy to fix is pretty low on the scale of needs to be fixed. A memory overflow causing say a moriphene drip to open up and rush a whole lot of painkiller into the body, much more than it can handle while a nice way to go.. the patient is still dead, and a bug in such a circumstance is pretty HIGH on the needs to be fixed scale. Not all bugs are the same, however when you have the potential for ANYONE to review the code to make sure its up to certain standards the chances that code that threatens life and limb or the bottom line, gets through is radically reduced. Not to say they won't get through even the most stringent review, but the more eyes on potential problems, and the more people who might be potentially able to FIX said problem, the better it is for everyone. Proprietary code reduces these checks and measures, literally reducing the eyeballs that MIGHT see something another did not. Would you trust your life to code that was reviewed by a small group anywhere from six months ago to a year or so, vs, code thats constantly looked over by everyone who wants to be involved in the project including the organization involved in having said code run the mission critical application?

Talk about non-sequitur...

[Attis_The_Bunneh]

Okay, now I'm not much of a big name coder here, but from my experience here at university in learning how to code data structures one thing is always true; it's not what you code, it's how you code. Open Source does not mean good tidy coding practices, open documentation, and etc. It just means everyone else can see your code, that's all. As for it being better at finding bugs, that would be true if documentation practices were more strict, but many closed source projects have the same ailment of not being able or willing to document features, patches, and bugs of their program. Ultimately, whenever I read something like this I realize their assumption is based on that some how certain practices are automatic to open source vs closed source, which is not true since open source licenses do not require the programmer at anytime to program a certain style, it only handles the release of the source code and nothing else.

If the author of this article knew that, then the article would probably not exist at all. So, the tag [FUD] fits perfectly. :)

Quality of Programmers is critical...

[TheNetAvenger]

Quality of Programmers is critical...

Which would you rather have 100 monkeys programming on a project or 10 skilled programmers?

More programmers and more 'eyes' on a project does not mean it is going to be inherently more bug free. In fact with a group of bad programmers in the mix, it can cause severe harm to a project.

I'm not knocking Open Source, but for people to just expect it to be better because more people have access to work on it, have obviously not met as many programmers as I have.

There are a lot programmers that put time into project (and yes Open Source) that have no business developing a VB application for a 10yr old kiddie game, yet they are taking part in large scale coding projects that truly would be better off with them not working on it.

When working with XWindows years ago, I ran into a few people that scared the hell out of me and other people. They had no vision or scope past the specific things they were trying to do, and would often come up with modifications or 'features' that would break more than it added to the project.

In the Windows world of 3rd Party developers I have also found 100s of people I wouldn't want them to develop Hello World. As they had no concept or regard to security, Unicode or many other features that would fail when the applications would run on a non-English system with a user having administration privledges.

You can even find many commericial products in the 3rd party Windows world that also have these problems, but are yet produced by big companies are popular products.

I wish that all ideas would be welcomed into a project, but the people having the final say could trump crap programmers and crap ideas if they are detrimental to the project.

When you look at the Linux Kernel or BSD, you can quickly understand why Linus and others don't want to let the 'deciding' control into the masses, or both of these core OS would become crap in a matter of months of unregulated programmer additions.

Re:Quality of Programmers is critical...

[Kjella]

You can even find many commericial products in the 3rd party Windows world that also have these problems, but are yet produced by big companies are popular products. ...which is because you have the same monkeys in the commercial projects as you do in the OSS projects. In proprietary software you often have a more formalized QA process, in OSS you at least have people with interest (which may or may not mean they have a clue, but the odds are better) but neither is a miracle cure. As much as you'd like to have only good programmers, in my experience the demand greatly outweighs the supply, so you average programmer is... well, average. One of the central parts of managing a large application is finding someone good to design it, split it up into monkey-work, QA that work and glue it together. That is not ideal but simply the way it has to work with the normal composition of a team.

Not quite

[The_Wilschon]

Bugs (a.k.a. Entomology)

Donald Knuth, a professor of computer science at Stanford University and the author of numerous books on computer science and the TeX composition system, rewards the first finder of each typo or computer program bug with a check based on the source and the age of the bug. Since his books go into numerous editions, he does have a chance to correct errors. Typos and other errors in books typically yield $2.56 each once a book is in print (pre-publication "bounty-hunter" photocopy editions are priced at $.25 per), and program bugs rise by powers of 2 each year from $1.28 or so to a maximum of $327.68. Knuth's name is so valued that very few of his checks - even the largest ones - are actually cashed, but instead framed. (Barbara Beeton states that her small collection has been worth far more in bragging rights than any equivalent cash in hand. She's also somewhat biased, being Knuth's official entomologist for the TeX system, but informal surveys of past check recipients have shown that this holds overwhelmingly for nearly everyone but starving students.) This probably won't be true for just anyone, but the relatively small expense can yield a very worthwhile improvement in accuracy.

This is from the TeX users group site, at http://www.tug.org/whatis.html.

Re:So how did they test? -- badly

[IWannaBeAnAC]

Another curiosity: vim has 276,398 versus emacs with 233,375 ? Who said emacs was bloated?

Why all of the complaints?

[BufferArea]

What is the reason for all of the complaints? So what if comparing open source to mission critical proprietary is an apples to oranges comparisons. When attempting to better yourself to become the best possible you don't compare yourself against your peers - you compare yourself against your betters. It may be the case the OS(open source) can't use the same methods as mission critical PS(proprietary software), but it at least known that there a better defect rate is actually achievable in reality and is something to strive for.

Typical PS advocates could also make arguments for an apples to oranges comparison - we have constraints placed on us by customers and managers, we have to be concerned about making a profit, we have to beat others to market and so on (and yes OS advocates will make arguments against this - the point is everybody can make arguments about why a comparison is unfair - but a difference in quality exists regardless of fairness of comparison). In the end, it doesn't matter - typical OS is better and the typical PS needs to improve, just at OS needs to improve compared to mission critical PS.

What this article really enforces is the idea that no model is perfect (which should have been obvious to everyone but apparently isn't) and all of the models have room for improvement and the people using these different models should learn from each other.

Re:Why all of the complaints?

[pembo13]

I think the complain that is it is okay to compare it. But it's not okay to give half the data and then decry OSS.

wheres the scanners source?

[anon101]

There site doesn't seem to give me the source code to the scanner, just keeps asking me if I want a free trial?

How can anyone be sure of how reliable the study is without reading the program that the entire article is based on, if the security scanner is flawed then the article i pointless.

Would you believe someone who told you he had built a device which could measure something that noone new existed, but refused to allow you to see his device, I sure wouldn't.

As many people have said, the scanner can not detect ALL faults.

The question is How was it taught to find faults (maybe taught is a bad word, maybe it should be 'designed').

If it looks for common programming errors how did they determine what was a common programming error?
Asking programmers is a risk, do they always know when they've made a mistake?
The only real way is to look at code where a bug has been found. Proprietery software won't let you do this, Open Source will.

If they built thhe system based on common mistakes in Open Source systems, then tey are more likly to detect mistakes in Open Source code, as open source and proprietry code development techniques differ but may produce differant kinds of bugs.

Re:wheres the scanners source?

They have spent some time thinking about this, look at their site for some papers written on the subject. Dawson Engler has even more of them on his homepage. Or to put it bluntly, RTFR (Read The Fine Research).

Did they run it on its own source code?

[VGPowerlord]

...and if so, did it report any bugs?

Re:Did they run it on its own source code?

[MadMidnightBomber]

Hard to say if it found any bugs - the only output was "Malkovitch".

Re:So how did they test? -- badly

[belmolis]

A guess is that this is because much of emacs' functionality is implemented in elisp code, which is not part of the core program and so not included in the source line count, whereas most of vim is implemented directly.

No OpenBSD ... (?)

I find it curious that the open source projects most touted for the quality of their code (OpenBSD and offspring OpenSSH) are one of the few large-ish open source projects that *are not* tested and compared ...

Re:No OpenBSD ... (?)

"me too"

IEC 61508

[SuperbMan]

Having trouble figuring out your requirements and identifying saftey critical systems?

Having trouble identifying what your actually supposed to be doing?

Then I suggest you give the Norm Internationale - IEC 61058, a read! It's a favourite of mine...

In general most of the engineers throw their hands up in the air and scream blue murder when I quote this stuff at them... (We're a Medical Device company). But I f you want to get a good idea of whats required..

Cheers,

P.S I'd suggest a quick peruse of part 3 Appendix B

  - No Dynamic Objects, Limited use of pointers, limited use of recursion....

It'l' take you a wee while to wade through it... (If you can actually lay your hands on a copy)

Re:IEC 61508

[vtcodger]

***Then I suggest you give the Norm Internationale - IEC 61058, a read! It's a favourite of mine...***

That sounded interesting so I tried to find it on line. IEC 61058 seems to be a specification for electrical switches. '"Norm Internationale" IEC 61058' draws a total blank at Google. Are you sure that's the correct reference?

Re:IEC 61508

Try http://www.iec.ch/zone/fsafety/scope.htm. I also recommend looking at MISRA C http://www.misra.org.uk/index.htm.

Unlike coding standards that merely make your surce look pretty, these standards actually help improve quality by improved design. They are well worth looking at if you can buy (or find) a copy.

Re:IEC 61508

[SuperbMan]

Whoops.. My subject heading had the numbers in the correct order...It's IEC 61508.. But it's a spec you have to pay to get... Cheers.

Re:IEC 61508

[synthespian]

For a list:

http://www.12207.com/safety.htm

Bugs in Open Source Code Are "Better"

[Peter_Pork]

This is the usual completely meaningless accounting, with a myriad of methodological flaws. You cannot make a general statement about bugginess of open-source vs. closed-source code. There are just too many variables to conduct a statistically meaningful study. The reason why open source code is better bug-wise is very simple: the user of the code can fix the bugs. As a developer, I hate to depend on closed-source code. Why? Because *every* moderately large code, open or closed, has bugs, and they invariably show up at some point. I much rather go fix the issue myself that wait for some random amount of time (including forever) for someone else to fix the bug for me.

OSS has faster bug fixing? BULLSH*T

https://bugzilla.mozilla.org/show_bug.cgi?id=13604 9

A bug in Netscape/Mozilla/Thunderbird that was first reported ELEVEN YEARS AGO.

https://bugzilla.mozilla.org/show_bug.cgi?id=20451 9

A case where a programmer with a engo trip can veto a solution to what the user's (customers) demand.

The whole "anyone can checkout OSS code and fix it" is a crock -- only those with 1) the prorgramming skills to do anything 2) the urge to do anything to begin with and 3) no reason to leave their parent's basement.

I personally prefer software written and controlled by those with a profit motive and consequences for failure.

How freaking long did it take ANY form of *nix to support WPA (or wireless for that matter) YEARS after it was available out of the box for commercial OSes?

Heck I use OSS only because I have the patience and skills to mitigate the shortcomings, not because I can't get laid and have too much free time.

Porbably not. More likely green hills

[WindBourne]

If this was MS, then it would be comparing OS to OS. Instead, they are saying that it is software that is running nukes, medical, aviation, etc. All things that have undergone certification. I would guess that Green Hills is doing a MS style FUD job though. Almost certainly they picked closed source that they knew has been around for eons vs. OSS that is relatively new.

Hook it up ...

[LeeMeador]

to Jira (or Bugzilla or whatever) on the Open Source projects and it could submit the bug reports automatically and after only ... three days to three years all those bugs would get fixed.

Yep

Probably true, but there is bound to be plenty of narrow-interest proprietary software out there (the stuff Coverity probably knows and little cares about) that is bug-infested crap and not worth $10, much less several thousands of dollars. Office, despite its bloat, ought to be largely bug-free since so many people everywhere use it and finance development for it (you'd think!), but I've noticed obvious bugs. Plenty of mal-features, but a lot of OSS is like that too.

Not exactly lying with statistics

Here's an interesting question - what's so bad about taking "only" 4 out of the 15 top spots when OSS projects were only about 1/3 of the total pool being rated? ("50 of the mos popular", "over 100 companies", "more than 150 open-source and proprietary software applications that we have analyzed") Let's hope the 11 proprietary ones in that elite group were the ones made to control critical systems like airplanes and nuclear reactors, eh? Hate to think that such weren't as good as the best of OSS!

Ask MS this question, they know the answer.

[GuyFawkes]

For sure, MS Windows and MS Office are closed source so "we" cannot analyse them.

However, Debian (which I am running here) and Open Office are not closed source.

Simple logic will tell us that someone or someones in MS are tasked with keeping a close eye on open source and how it compares with MS own operations, hell, this is MS core business strategy, just ask Jobs...

MS aren't likely to tell anyone else these results, but, we can maybe infer them from MS actions.

eg

"Vista sucks" ---> MS ain't worried about Debian / KDE

or

"vista allows you to pause and resume multiple file transfers, and don't abort the whole list on one error" ---> MS is very worried about *nix in general coming to the desktop

one factor missing I'd bet

[josepha48]

Open source tends to be more of, what do I want to add or what requests am I getting for features. Also what bugs are people complaining most about. In open source once the product goes from 'beta to live/GA', bug fixes are usually security related or end up in the next major release.

Proprietary software tends to have requirements of what bugs they MUST fix. In this case once the product goes 'live/GA' users can request bugs to be fixed AFTER 'live/GA'. Not just security issues either. We usually do a few maintainence fixes, after GA because of what our users require us to do.

I also think that there is a QA issue in open source. Open source does not usually have a QA department, it has a beta period for people to find bugs. Proprietary software almost ALWAYS has a QA department or QA period where stuff is tested over and over for bugs and then these bugs are fixed.

Maybe open source needs OPEN QA!

Don't be so quick to judge

First off, yes, the article is fairly worthless for countless reasons, but that's not what I want to talk about.

This is not to say Coverity is worthless as well. It is not doing things that a compiler can simply do and it does find errors that you *might* stumble across in debugging, or you might not (my place of work recently evaluated it, and I'll venture a guess that it's one of the proprietary folks included in the study). It tries to execute various possible branches of code to see if you might be working with pointers which might be null or if you might have a buffer overrun. Yes, some of the "bugs" it reports are false alarms, but it will also draw your attention to areas where there might be legitimate problems (and it will just as easily not catch bugs). Complaints in here that it's worthless as a compiler/debugger could do it and Windows-programming-practices-centric (I honestly have no idea what that means) are pretty baseless, and I'm guessing, coming from people who have never even used the product. Am I advocating using this product? Not necessarily, but these kinds of tools *do* have a place in any serious development shops QA process.

Shaaa... this is like so obvious....

[Reverend99]

... department of homeland security is funded by the government. Government is funded by tax dollars. Tax money comes from big corporations like Microsoft and Google. It's obvious that his is a biased report. No way open source software has ever had any flas ever.

And how did they get the data?

[Eric+Damron]

This doesn't make any sense. It assumes that they found all the bugs in close source software or they trust the proprietary vendor to disclose all defects.

Yeah right. Like a vendor making money selling a product is going to be truthful when telling just how crappy his product really is. ROFLMAO

Automatic code testing

[joe_plastic]

I just ran across an interesting blog entry by Federico Mena Quintero that linked to two interesting papers : When should a test be automated? and Classic testing mistakes.
Automated tests are often more expensive to write than manual tests, so when should you do automated tests versus manual ones? The answer is not always automated tests. Also typical unit testing is only part of what kind of testing needs to happen.
Using Ring Buffer Logging to Help Find Bugs was also another good link that Federico had in another entry.

You have to define quality

[gosand]

In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy. On the other hand, the open-source software was found to be of greater average overall quality.

OK, what is the definition of quality? Most people like to say "free of bugs", but that isn't a true indicator of quality. My working definition is that a high quality product meets or exceeds the client's expectations. Now with OSS, my expectations aren't really that high. I mean, if it crashes, or the UI is kind of clunky, or it is hard to install... I just kind of expect there to be some of that. But if I pay for something, I expect it to be of higher quality in these regards. And if a client hires someone to create software for them, it had better meet their requirements. Of course, that is all pretty much a game nowadays, where promises are made, requirements are poor, and it all just turns into a used car sale. Roll out the dog and pony show, let the smooth talkers "work" the clients to explain why they didn't get what they asked for...

Re:So how did they test? -- badly

[miro+f]

not only that, but it has 15 lines of code and they fixed 23 bugs in it. that's some buggy code!

The other interesting thing I found:

Gnome: 31,000 lines
KDE: 4,500,000 lines

I always thought KDE was bloated (commence flame wars)

openoffice

[higuita]

openoffice code is a mess because i is very old... remember that there was a staroffice in DOS time, the same code was update over and over and over before release to the opensource community...
since then many people try to clean it, but its hard and risky to clean a such big app

most projects have a coding style that everyone should follow, and many force you to comply if they want their code to be accepted

Re:openoffice

[Hotawa+Hawk-eye]

That's why it needs a strong set of automated tests, testing as much of the functionality as it can. Those pieces of functionality that can't be automatically tested should be thoroughly described so they can be manually tested. Then it will be safer to refactor the code; as long as the new code passes the tests, it will behave the same on those tasks as the old code.

Coverity is involved, so ignore the study

[The+Man]

The whole purpose of the study is to ingrain in the minds of readers the idea that Coverity makes software that can count the number of bugs in a piece of software, leading to the obvious conclusion that it can also identify them and therefore is an extremely valuable product for developers. Of course, this is not true. Coverity's products cannot tell you that your program includes an infinite loop (because it cannot solve the Halting Problem), they cannot tell you that your program will perform at a snail's pace (because the performance characteristics of a piece of software depend on the algorithms it uses, which cannot be reliably determined by examining code, as well as the performance characteristics of the machine on which they are run, which simply cannot be determined in any way by examining source), and they cannot tell you that your program is logically wrong (because they do not know what your program is supposed to do). These are, in the real world, the kinds of problems that occupy virtually all bug-fixing effort. Worse still, many of the problems that Coverity's products, like all other automated source checkers such as lint and gcc -Wextra, do report are in fact false alarms.

Coverity, of course, knows that reports like this will be written up in exactly the way this summary was, clearly associating their company with the idea of enumerating the bugs in a piece of source code. While not illegal, this type of marketing is of course deceptive; while published papers describe the type of defects (or non-defects) actually detected, the overwhelming volume of commentary will reflect the broader, and incorrect, view that Coverity == bug-finder. It would be just as meaningful (which is to say, not very) to publish the number of lint warnings or missed opportunities to qualify pointer arguments with the const keyword, and neither would require an expensive piece of overhyped software.

Just Say No to Coverity's marketing gimmicks.

Re:Coverity is involved, so ignore the study

[bmajik]

While i have no experience with coverity's tools in general, you seem to hold a very dim view of static analysis tools, which is unfortuneate, since they can and do find real bugs.

When there are no more peices of software that ship with stack overruns, static analysis tools _might_ not be worth using. But we're not there yet.

Static analysis is just one of many tools that can help refine the quality of software. As we learn not to make the mistakes static analyzers can detect, their necessity and usefulness will also change, just like the types of bugs we are writing will also change.

As someone that is in the software QA business, I happen to love that some developers are using static analysis tools. I want my job to be automated just like (most) everyone else does, and every arcane buffer size defect or missing return value check that is detected by automated tools is one I never see when I do a code review. This leaves me free to focus on looking for things I know aren't well detected - like logic errors, infinite loops, etc.

I've been thinking for a while that there is a lot of software engineering methodology that could be applied to great effect in the F/OSS world. The linux kernel code coverage project for instance is somewhat primitive compared to tools we're using internally at my company, but it's "close enough" that it could present tremendous value if some structure/practices were put around it. Combine it with the linux test project (and based on reading about the linux test project, that one has a lot of good content but doesn't seem to have the right focus and presence) and now you've got the beginnings of some real software testing with feedback loops going towards the developers. Throw in some static analysis here and there and it's almost going to feel like software engineering instead of "hacking".

Yeah - hacking got us (part way) here. How far will it take us? How much of what I envision is already being done behind closed doors at IBM, Redhat, or whereever ? I just read a paper abstract today on using an instrumented version of Bochs to test the linux kernel for various run time faults. Fantastic idea. Now, put it into production.. hook that thing up to a profiler.. or lcov.. run the LTP inside of it.. run crashme or whatever todays syscall-fuzzer is..even if you find only one "wow.. thats weird" result, the computer was doing all the work for you, so why not take advantage of it?

Holy crap!!!

[MochaMan]

Now that is what I call compact code! I don't know of any other project that's pulled off so much functionality in so few lines of code.

But the bug/lines of code ratio of 23/15 is a little high for my tastes. Perhaps it's time to look at Visual SourceSafe.

OpenOffice is a bad example.

[Ayanami+Rei]

The codebase is very old, contains a bunch of legacy stuff nobody really understands, as the codebase has passed hands from a German company to Sun to the OpenOffice.org foundation. It's also picked up a layer of java along the way (for whatever reason).

It's too bad because it actually works kinda okay, but it's a real effort to get your hands dirty with.
Blender is also like that... it seems when a codebase has 'gotten around' it tends to pick up the bad habits of all the hands its been through.

MySQL is a bad state because it's really only developed by MySQL AB -- no one else is contributing to it so they have no reason to make it any more maintainable than it is. PostgreSQL, on the other hand, had the luxury of being the fruit of some academic research projects and was rewritten once or twice, so it's a little more maintainable.

Re:OpenOffice is a bad example.

Blender seems to improving, there is at least one person who really understands the codebase (Ton) and things get cleaned up as old code gets swapped out with newer, mode general code.

one thing we all should know..

[Treates2]

Proprietary Software Sucks.

Why dont i trust the institution that wrote this ?

[unity100]

May it be because they are the government's pawn, and government is now run by cartel-loving people, and they want to push digital rights, patents, restrictions on the internet, more secretive, closed code so that they can better 'protect' their supporting cartels' digital 'rights' ?

talk me money

[towsonu2003]

sooooo... how much did you get for this?

In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy. On the other hand, the open-source software was found to be of greater average overall quality.

but it's okay, because one of your guys seems to sabotaged the submission... tell me how this makes any sense: there are less bugs in proprietary software, which is of worse quality... I am very confused... or not?

open software makes proprietary software buggy

[zitintheass]

Quality in closed source projects is declining due to predating open-source projects. Money is not being made in closed-source projects anymore so wages are declining, people are getting fired and ultimatelly quality suffers. Nearly all healhy closed-source firms are threatened or in the phase of being liquidated by predating open source projects. There is no point of starting a new closed-source proprietary project anymore, even if you start one then there will be a new o.s. project soon to wreck it. The more successfull you are then the possibility that some german student will start getting busy on sourceforge.org is even higher.

There are code reviews...

[HangingChad]

...and there are code reviews. One of the customers I work at hired EDS to do a code review (not one of my apps). EDS sent five people...none of them actual programmers. They spent the first two days in a conference room figuring out how to approach the job. 80 man-hours later the EDS team reaches the startling conclusion that they're going to need programmer support for the actual code review.

And people say Big 5 consultants aren't worth the money. Pshaah.

Re:So how did they test? -- badly

[newt0311]

so did I. Now we have proof!!!

uuuuuhhhh

[Cinquero]

Hell, open-source is a nice idea, but it DEFINITELY lacks QA EVERYWHERE! Even KDE -- the soooo user-friendly desktop -- does not care for proper and reliable operation. How often did I need to go into ~/.kde and fix things manually because the calendar did not work any more etc.etc.etc....

In the end, it is all a matter of work. Much money means much work (usually). So there you go. I just hope that the independence of open-source software leads to a rather prefect end-product (somewhen).

BULL CRAP

[hackus]

Do I look studpid?

I will have to check in the mirror again as I might be living in a different universe where my Linux boxes always have to be remotely rebooted on a weekly basis and my Windows machines have 400 days worth of uptime.

-Hack

Re:So how did they test? -- badly

[Breakfast+Pants]

Proof that what, GNOME has no browser?

Why hasn't anyone said this yet?

[It's+a+thing]

It's not a bug, it's a feature! :P

Fair comparison?

[mrjb]

"The best of closed-source software is found in so-called mission-critical applications: things like jet engines, nuclear power plants, telephone systems, medical devices. These are things that simply can't fail, or people may die. "

This type of quality (CMM level 5, I might hope) doesn't happen overnight. It can only be reached by subjecting the whole development process to rigorous methods. Also, someone is hired and appointed as the responsible person for the software in question. Not just any software company is capable of reaching CMM level 5, even if it was Mr Gates himself who founded it (I'm not even sure MS writes software at CMM 2). We're talking about best-of-the-breed software companies here.

In contrast, no warranty is given on software that is released under the GPL. It is in the nature of the GPL that anyone can contribute, but that if you wish to use it, you do so at your own risk.

Which makes me draw the conclusion: Duh- *Of course* open source software has more bugs than mission critical nuclear power plant / jet engine / hospital equipment software.

Whoever said "The 2002 NIST study estimated that $22 billion of the cost of buggy software would vanish with better testing" doesn't realize that there is more to software quality than testing. Software quality only happens it is guaranteed in every step of the development process, from specification to rollout.

Mediocre article, bad summary

[Coeurderoy]

What the article really tell is that although the quality of OS application is on the average higher than Closed Sources applications, there exist a class of OS application that has higher quality, notably airplane software.
Well since there is a very limited number of airplane manufacturer (for a large number of very bad reasons), and since it is quite difficult to have a handy Aibus 380 or Boing Skyliner around for testing, it is clearly not a very "OS Friendly" field of development.

Actually what is really compared is:
        Open Source applications
        Closed Source applications
        and a class of very specific Bespocken applications.

Now the methodology is not very scientific, and therefore the results quite disputable.

But what it might show if anything, is that if there would be more openess in the airplane industry and more cooperation and information sharing, planes would probably be cheaper and safer.

So to make a slightly too fast shortcut: patents are bad not only in the software industry but in practice, everywhere.

Re:So how did they test? -- badly

[newt0311]

damn right and why should it? a browser should NOT be a native part of a DE. that is a major sign of bloat.

That's probably why priority starts at 0

[jchenx]

Just a guess but is it multiplication? Like golf the lowest score gets the prize? (ie: the lowest score = x 0). Hence they 2nd numbering system starts @ 0. HTD

Ahh, bingo. I believe that's it. I know of some groups that just need one score to focus on, and will simply multiply priority by severity. But if a bug is truly pri 0 (blocking all other tasks), you want that to be worked on no matter what its severity is.

Formal methods/safe languages, anyone?

[synthespian]

First, the author is not against open source. In fact, Coverity is helping projects like FreeBSD by providing tools for developers.

Second, he is not comparing apples to oranges. He is using a metric, bug-rate in a wide sample. Then, he finds, interestingly enough, that proprietary software is very much scattered, but the ones on the top are 5 X less buggy than open source. This begs the question: why? This is what people should be discussing. Not saying he works for Microsoft and all that childish bullshit...

The *real* question is: what are those methods people developing mission-critical software use that open source hackers do not? My hunch is: formal methods, safe languages.

For instance, Ocaml http://www.astree.ens.fr/ was used in a sofware verification system for the Airbus A340 fly-by-wire system. Haskell is used by Galois Connection http://www.galois.com/ to develop secure protocols for the DoD. And there are many other examples, just look at the clients of vendors of Erlang (well known), Common Lisp, and Eiffel.

As long as the open source community sticks to C (and C++), we're all going to remain in this ridiculous situation that we are in today. In this day and age you can use a fast compiler for safer languages like ML, Lisp or Eiffel, but people insist programming like we're in the 70s.