Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Hunting Open-Source vs. Proprietary Software

Posted by ryuzaki0 on from the i-am-a-big-fan-of-quality dept.

PreacherTom writes "An analysis comparing the top 50 open-source software projects to proprietary software from over 100 different companies was conducted by Coverity, working in conjunction with the Department of Homeland Security and Stanford University. The study found that no open source project had fewer software defects than proprietary code. In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy. On the other hand, the open-source software was found to be of greater average overall quality. Not surprisingly, dissenting opinions already exist, claiming Coverity's scope was inappropriate to their conclusions."

13 of 244 comments (clear)

  1. So how did they test the proprietary software? by pembo13 · · Score: 3, Insightful

    I scanned through the article, it didn't seem to mention how they tested the top proprietary software. I can well understand that there are are a lot of bugs in open source code since it is written by humans. But human also right the proprietary code. How did they test it?

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  2. What's a bug? by BadAnalogyGuy · · Score: 5, Insightful

    Knuth used to have this great offer where he'd send you a check for pi or e or something if you managed to find a bug in his code.

    Well, what is a bug?

    I doubt he'd send me a check if I told him that TeX doesn't have an easily accessible iconic user interface. No, his concept of a bug is a deviation from the specified functionality.

    But what if that functionality is wrong or sucks?

    Apple does really well at creating functionality that doesn't suck. They suffer from the same problems of deviations from the spec as much as anyone, but they manage to mold their spec around what users want. Microsoft, to some extent, does the same and they release products that conform to what users want (generally) because they change the spec as necessary when customers demand change.

    If you are implementing towards a standard (like most OSS projects with any traction are wont to do), then you are necessarily restricted by what that spec says. If the spec says to do something inane, the standard-follower must implement it that way.

    I don't really have a point here except to say that unless they say "this is what we mean by bug", there can be no way to really examine their results.

  3. Number of Bugs vs Bug types by Alien54 · · Score: 4, Insightful

    The problem is that there are different types of Bugs. things like a typo in a help file, or American spelling vs British spelling, vs a bug were the app crashes the system when installed on a system with an early version of Quicktime are clasdsified differently.

    The summary just says all bugs, which is not fair if the proprietary has 5 times the number of critical or super-critical bugs.

    --
    "It is a greater offense to steal men's labor, than their clothes"
    1. Re:Number of Bugs vs Bug types by LetterRip · · Score: 3, Insightful

      Coverity scanner only checks for programming errors. Ie things that cause crashes, etc.

      However as others have pointed out they are comparing mission critical software to non mission critical software. What should have been done (as has also been pointed out) is to cluster by usage case or software field. So databases to databases, browsers to browsers, generic office usage to generic office usage, etc.

      LetterRip

    2. Re:Number of Bugs vs Bug types by marty-heyman · · Score: 3, Insightful

      I couldn't agree more. But it's really only interesting if they stop grandstanding and compare comparable products. In our case, Coverity shouldn't make any statements about Open versus Closed source unless they have some degree of comparable data for OpenLDAP versus Netscape/Red hat, Sun, IBM, CA, Novell, and Oracle (at a minimum) Directory Server products. Comparing the bug level in OpenLDAP to that of a Jet Engine control program is not only misleading (because they don't give you a measure of the cost per thousand lines of code to achieve the defect level) but irrelevant because people evaluating Directory Servers don't care what the defect level is in some other irrelevant discipline's closed soource code.

      I find it unacceptable that they publish all this pretty, and generally positive, information about which projects in Open Source they scanned and then draw conclusions without telling the reader which non-Open Source Code they're comparing it to. One suspects, in the dark of night and in a paranoid frame of mind, that they're comparing to what Homeland Security COULD give them which is stuff nobody's much heard of and no Enterprise would think of deploying. Just s suspicion but one that's left on the table by the one-sided reporting.

  4. Why is this surprising? by Chairboy · · Score: 3, Insightful

    Why does this surprise anyone? Propriety software traditionally undergoes a formalized, designed testing process. It's not perfect, but it's an ordered approach to boundary testing, design level implementation of quality, and more. Open source software must rely on after-the-fact testing in the form of "this broke when I tried to do this".

    In the end, it comes down to black box vs. white box testing. Commercial software has a strong QA engineering component. Open Source software relies primarily on a black box testing approach.

    Open source has MANY benefits and MANY advantages over commercial software. This just doesn't happen to be one of them, but unlike the commercial software, the bug fix cycle on open sourced stuff can be a LOT quicker, so it evens out in the end.

  5. Not quite... by Timothy+Brownawell · · Score: 5, Insightful
    The study found that no open source project had fewer software defects than proprietary code. In fact, the analysis demonstrated that proprietary code is, on average, more than five times less buggy. On the other hand, the open-source software was found to be of greater average overall quality.

    No, *popular* open-source software is 5x as buggy as *safety-critical* closed software. The linked dissenting opinion is at least partly right; they're comparing apples to oranges.

    Maybe they should try comparing open- and closed-source software that's actually trying to solve the same problem? That'd be a bit more valid of a comparison...

  6. Open or Closed ? by quiberon2 · · Score: 3, Insightful

    Open-source software is expensive if you want a commercial support contract (because you are asking a professional to spend a lot of time learning).

    Closed-source software doesn't have the function that you want, and you cannot fix it to add the funcion that you want.

    You pays your money and you takes your choice. You can always stick to pencil-and-paper, and not use this 'software' stuff at all, if you prefer.

  7. Even worse. by khasim · · Score: 5, Insightful

    He's comparing "bugs" in a project such as Apache with "bugs" in the software controlling a jet engine on an airplane.

    He refuses to accept that different projects have different requirements. When the project results in people dying if it fails, you spend a LOT more money and time finding all the "bugs".

    When the worst that happens is that you don't see a web page, your money/time requirements are not so high.

    Even so, from his finding, Open Source is, on average, better than the closed source projects (not counting the closed source projects that result in loss-of-life in the event of a failure).

    He's an idiot for confusing the different requirements.

    1. Re:Even worse. by phantomfive · · Score: 4, Insightful

      Don't listen to the slashdot summary. It's terrible. The author is not against open source, he talks about the "brilliant open-source community."

      What this guy is trying to say (besides 'buy my software') is that open source can do better (the title of his article is "...what open-source developers can learn....."). He wants people to use stricter development practices; things like automatic testing, nightly builds, etc.

      Furthermore, he is probably right, automatically testing code ala j-unit or cpp-unit is a great idea when you are getting contributions from many different people. If that became common practice in the open-source world, the code quality would improve. He's not saying open-source is bad, he's saying it could get better.

      This guy is not an idiot, you just didn't understand his point.

      --
      Qxe4
  8. Nice way to generate publicity by wannabgeek · · Score: 3, Insightful

    This is just smart marketing. Imagine they put up a survey that did not make any controversial claims (something like, open source and proprietary software are comparable), then would that generate as much heat? Now many people hear about the company because more people talk about this now than if the survey said something less controversial.

    Now to compare every open source software application to aerospace software is really comparing apples to oranges. There is a big difference in the expected quality between an editor and an aerospace application. It's alright even if my editor crashes once in every 20 times I invoke it. Is that acceptable with an aeroplane?

    I'm sure the folks at Coverity understand all this. But if they really speak what is right, they will not get all the eyeballs and publicity. In classic slashdot lingo:
    1. Do something (anything) that involves open source and proprietary software
    2. Make claims that sound outrageous / controversial
    3. Profit! (with all the free publicity)

    --
    I'm much more funny, interesting and insightful than the moderators think
  9. Lies, damned lies, and statistics by Ibag · · Score: 4, Insightful
    If you look at the summary, you come to the conclusion that proprietary software is five times less buggy than open source. It is also unclear how software can have five times as many bugs but be of higher quality. However, if you read the article, you find:

    In our research using automatic bug-hunting technology, no open-source project we analyzed had fewer software defects (per thousand lines of code) than the top-of-the-line closed-source application. That proprietary code, written for an aerospace company, is better than the best in open source--more than five times better, in fact. That company's software won't let you down when you're flying from New York to London.

    If we ignore that the automatic bug finding algorithms might not be a good measure for anything, we have a few issues with the summary. The richest american is twice as rich as the richest Swiss man. Does it follow that Americans are on average twice as rich as Swiss people? No. In the same way, the statement does not imply that the average open source software has five times as many bugs as the average proprietary software does. The coding practices of mission critical apps like flight control systems are different from those of most of the industry, and it is almost wrong to lump them together with everything else.

    The problem with statistics is not that they give an inaccurate picture, or even that selecting the right statistics can give a skewed picture, but that people who don't appreciate what statistics actually give use them to form opinions, make decisions, and summarize articles. Statistics don't lie, but the people who misreport them do, even if they don't realize it.
  10. Re:not to mention... by linuxci · · Score: 3, Insightful
    I hate reports like this, there's so many reasons that bug counts don't prove anything. This all reminds me of the times MozillaQuest used to delight in posting Mozilla bug counts as a measure of quality (now MozillaQuest doesn't seem to mention Mozilla anymore, but a good parody of their Mozilla reporting is here).

    Now these days you often get studies claiming that proprietary software is less buggy than free software, but it misses some very significant points, the ones we used to respond to MozillaQuest articles still apply very much to today:

    • Free software projects very often have an open bug database so it's easy to see how many open bugs are in a project, most proprietary software doesn't have an open bug database so you have to trust the manufacturer and your own testing
    • Not all bugs in open databases are really bugs. Some are requests for enhancement, some are duplicates and some are rants
    • In some cases one persons bug may be another persons feature (e.g. if an application does something differently to the platform guidelines, some people may like this alternative behaviour, others will consider it a bug).
    • The profit motive - companies have a lot to lose by letting people know about bugs, volunteer led projects tend to want people to know about bugs in the hope someone will help fix them (this is getting a bit blurred now that more and more organisations are making money off free software but the fact still is with proprietary software you can't fix the bugs so they gain nothing by telling you about them)
    Sorry if this is redundant, I'm working on call at the moment and was halfway through typing this when I had some work to do!