US DHS Testing FOSS Security

Stony Stevenson alerts us to a US Department of Homeland Security program in which subcontractors have been examining FOSS source code for security vulnerabilities. InformationWeek.com takes a glass-half-empty approach to reporting the story, saying that for FOSS code on average 1 line in 1000 contains a security bug. From the article: 'A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006 ...' ZDNet Australia prefers to emphasize those FOSS projects that fixed every reported bug, thus achieving a clean bill of health according to DHS. These include PHP, Perl, Python, Postfix, and Samba.

Wow... FOSS looks pretty pathetic

So in other words, this thing started in 2006. So if Big Daddy Gubment had not come by with what's essentially a bailout of FOSS, it would STILL be a buggy mess.

Kind of hilarious, how no matter how much of an insecure, buggy, crappy mess FOSS proves to be, they still whine about Microsoft.

Guess it's easier to point the finger than it is to get your own house in order.

Some perspective here.

[DerekLyons]

According to McAfee recently (http://yro.slashdot.org/article.pl?sid=08/01/05/0215201) and Microsoft et al, having your code exposed lets the bad guys exploit it's vulnerabilities.

That should be so obvious as to not require stating, by McAfee or anyone else. How large that risk really is can be debated, but its existence is as certain as the sun rising tommorow.
 
 

Of course if or when a weakness is taken advantage of, it would likely be fixed vary quickly through the FOSS community, instead of on the first Tuesday of every month like as in Microsoft's business model.

Fixing it some uncertain time after it has been exploitied is fine by the [relatively] sloppy standards of the FOSS community. But neither having it fixed the first Tuesday nor some uncertain time later is of much consolation to the guy who suffers business or data loss.