Code Quality: Open Source vs. Proprietary

just_another_sean sends this followup to yesterday's discussion about the quality of open source code compared to proprietary code. Every year, Coverity scans large quantities of code and evaluates it for defects. They've just released their latest report, and the findings were good news for open source. From the article: "The report details the analysis of 750 million lines of open source software code through the Coverity Scan service and commercial usage of the Coverity Development Testing Platform, the largest sample size that the report has studied to date. A few key points: Open source code quality surpasses proprietary code quality in C/C++ projects. Linux continues to be a benchmark for open source quality. C/C++ developers fixed more high-impact defects. Analysis found that developers contributing to open source Java projects are not fixing as many high-impact defects as developers contributing to open source C/C++ projects."

Not a surprise

[Tontoman]

Sunlight is the best bleach.

Re:Not a surprise

[viperidaenz]

bugs, like DRM?

Re:Not a surprise

[dkf]

Actually that was Eric Raymond, and it is evident that in fact there never are enough eyeballs (at least ones that can comprehend what they are looking at). The theory is sound but in practice it is not.

It's a fundamental truth that, the more of the system you have to comprehend to truly understand it, the harder it is to debug. Syntax problems? Trivial. Global liveness checking? Much harder. (There's just so many ways to screw up.)

Re:Not a surprise

You can't even attribute a quote correctly.
Linus was the guy that said "Look what you did to my code! You @#$%&! I'm gonna @#)+-*&$! You. You &$(#*%+.

Re:Not a surprise

[K.+S.+Kyosuke]

It's called stochastic sampling. There are "never enough" stochastic samples if you want to get to zero error, but given an arbitrary acceptable error, there are usually acceptable sample numbers and sampling strategies.

Re:Not a surprise

[aliquis]

Without seeing it?

They patch at random and let evolution take care of the rest? ..

Re:Not a surprise

Well - at least it was found...

With closed source at the other hand..
Well - let's say the bad guys still have great day's for a loooong time...

Re:Not a surprise

[Martin+S.]

Proves nothing of the sort.

It would likely have remained hidden in a closed source equivalent.

Re:Not a surprise

[apotheon]

Only if they're actually is sufficient enough people looking at the code. OpenSSL proves that there isn't.

It's difficult to get enough eyes on the project when its design is such a mess that people who take a look at it have no idea what they're seeing.

Every major TLS software package available is crap, from what I've seen. OpenSSL only "proves" that with a sufficiently hyped marketing campaign, a bug in one package can ruin its reputation relative to others with similarly bad security issues that did not get the same marketing. In some respects, it could be argued that the recently discovered bugs in GnuTLS and Apple's TLS code were actually worse than the heartbeat feature's bug in OpenSSL, if only because the kind of coding stupidity that produced those bugs would almost certainly never have been made by someone who would even be capable of fixing the OpenSSL bug, while the OpenSSL heartbeat bug (aka "Heartbleed") is basically just a mistake made by an at least marginally competent coder.

So, take your pick: "Heartbleed", a bug introduced as a possibly understandable mistake by an at least marginally competent coder, but comes with tremendous marketing hype -- or the GnuTLS and Apple bugs of the "we check to make sure it's a verified connection, but then do nothing about it when it's not verified", which are the kinds of errors that require the relevant coders to actually be incompetent, drunk, or otherwise so out of whack that it makes those of us who understand the problem scratch our heads and wonder how that could ever possibly have happened, but did not come with tremendous marketing hype, so nobody really thinks about the shaky ground on which they're standing when using that software.

The key fact to keep in mind, though, is that basically every major, widely used TLS package in the world (open source or closed) seems to be rickety garbage mostly maintained by manifestly unqualified programmers. Worse, many of them don't seem to realize they're unqualified. OpenSSL appears, from what I've seen (which admittedly isn't enough to be sure of my conclusions), to be at least slightly less awful than Apple's, GNU's, and Microsoft's equivalents, but even optimistically it is the best of a bad breed. There is one ray of hope here, however: some people in the OpenBSD project have undertaken the herculean task of forking OpenSSL and rehabilitating it. Given the relatively high density of people with secure coding skills in the OpenBSD developer community, and the OpenBSD project's practice of performing extensive code reviews, as well as the early evidence that these guys are doing what it takes to make a good TLS package out of OpenSSL -- throwing away huge swaths of unnecessary code and cleaning up some horrendous bugs that have been around forever -- I have high expectations, assuming the fork project doesn't die before reaching stable release state.

Re:Not a surprise

[apotheon]

Good point. The bug was found . . . and fixed. How does this prove that nobody's looking at the code and fixing bugs?

Managed langauges

Java project developers participating in the Scan service only fixed 13 percent of the identified resource leaks, whereas participating C/C++ developers fixed 46 percent. This could be caused in part by a false sense of security within the Java programming community, due to protections built into the language, such as garbage collection. However, garbage collection can be unpredictable and cannot address system resources so these projects are at risk.

This is especially amusing in light of all the self-righteous bashing that C was getting over OpenSSL's problems. Seems it's true that using a "safe "language just makes the programmer lazy.

Re:Managed langauges

[viperidaenz]

Resource leak in Java = DoS, as mentioned already
Resource leak in C = Heartbleed.

Personally, I'd rather my application crash than expose my private keys and other data that was supposed to be encrypted.

Re:Managed langauges

Apparently you missed the cyrpto flaws in Android 's Java crypto library from last year that exposed private keys. Apparently writing things in Java guarantees jack and shit.

Re:Managed langauges

[sexconker]

Apparently you missed the cyrpto flaws in Android 's Java crypto library from last year that exposed private keys. Apparently writing things in Java guarantees jack and shit.

No, writing things in Java guarantees your shit will be jacked.

Re:Managed langauges

You mean this one, lol?

Solution: The vendor has issued a fix for the Android OpenSSL implementation and has distributed patches to Android Open Handset Alliance (OHA) partners.

Oh, that notorious piece of Java code, OpenSSL!

Re:Managed langauges

[Darinbob]

I also think that with a low level language that more developers are aware of potential problems than developers using high level languages. In some sense I think this is also due to the types of programs being developed. C/C++ today is common used for embedded systems, operating systems, runtime libraries, compilers, security facilities, and so forth. So systems programmers versus application programmers versus apps programmers. The system programmers are forced to take a close look at the code and must be mindful of how the code affects the system. I think that if you had such a comparison done back in the 80s that the numbers would be different because many more application programmers were using C/C++.

Ie, interview for a systems programmer: do you know about priority inversion, do you understand how the hardware works, do you know the proper byte order to use, what does the stack look like, etc.
Interview for the modern applications programmer: have you memorized the framework and library facilities.

Re:Managed langauges

The underlying bug was in the Android PRNG handling, not a flaw in OpenSSL.

Re:Managed langauges

[reanjr]

I've never been in an interview where they asked for memorized framework and library facilities. As a web developer, I get questions about data normalization, graph theory, and complicated SQL JOINs.

Not a surprise, but no reflection of O/S vs Prop.

[RonBurk]

First, we shouldn't confuse Coverity's numerical measurements with actual code quality, which is a much more nuanced property.

Second, this report can't compare open source to proprietary code, even on the narrow measure of Coverity defect counts. In the open source group, the cost of the tool is zero (skewing the sample versus the commercial world) and Coverity reserved the rights to reveal data. Would commercial customers behave differently if they were told Coverity might reveal to the world their Coverity-alleged-defect data?

Again, having good Coverity numbers can't be presumed to be causally related to quality. For example, Coverity failed to detect the "heartbleed" bug, demonstrating that the effect of bugs on quality is very nonlinear. 10 bugs is not always worse than 1 bug; it depends on what that one bug is.

Polishing old code or writing good code

[mtippett]

The report doesn't really go into an important measure.

What is the defect density of the new code that is being added to these projects?

Large projects and old projects in particular will demonstrate good scores in polishing - cleaning out old defects that are present. The new code that is being injected into the project is really where we should be looking... Coverity has the capability to do this, but it doesn't seem to be reported.

Next year it would be very interesting to see the "New code defect density" as a separate metric - currently it is "all code defect density" which may not reflect if Open Source is *producing* better code. The report shows that the collection of *existing* code is getting better each year.

Re:Polishing old code or writing good code

Actually it's the reverse. Fengguang Wu does automatic defect reporting so new bugs get found and reported within a week. We've had great success with this.

But if we delay then here is the timeline:
- original dev moves to a new project and stops responding to bug reports (2 months).
- hardware company stops selling the device and doesn't respond.
- original dev gets a new job and his email is dead (2 years).
- driver is still present in the kernel and everyone can see the bug but no one knows the correct fix.
- driver is still in the kernel but everyone assumes that all the hardware died a long time ago. (Everything in drivers/scsi/ falls under this catagory. Otherwise it takes 8 years).

Each step of the way decreases your chance of getting a bug fix. I am posting anonymously because I have too much information about this and don't want to be official. :)

Re:Python

[Desler]

But that's written in C and C is the worst programming language ever!! How dare they be so dumb to not write Python in a "memory safe" langauge!

Ah, Coverity

[ceoyoyo]

Coverity: Hey you, proprietary software developer with the deep pockets. Yeah, you. We've got this great tool for finding software defects. You should buy it.

Proprietary software developer: get lost.

Coverity: Hey, open source dudes, we've got this great defect scanner. Want to use it? Free of course!

Open source dudes: Meh, why not?

Coverity: Hey proprietary software developer, did we mention those dirty hippie neck beards are beating the stuffing out of you in defect (that we detect)-free code?

PSD: Fine, how much?

Useless analogy

[Virtucon]

This is a useless analogy. Code Quality is a function of both skill and the stewardship of the team supporting the code. Tools help as well but you can write some elegant, high quality code regardless of the language chosen. You can also write some real shit too but ultimately how many defects a piece of software has comes down to the design and testing that goes along with it. Some bodies of work get rigorous testing and it's not like OpenSSL's recent problem wasn't about deficient design it was about a faulty implementation. Faulty implementations in logic happen all the time and there are some bugs that just take awhile to become known. I mean even with test driven development and tools for code analysis probably couldn't have found this particular issue but considering how long it was in the code base without somebody questioning it goes back to not only stewardship by the team but the rest of the world who are using the code. If anything this situation points out that FOSS can have vulnerabilities just like proprietary software however the advantage is that with FOSS you can get it fixed much more quickly and because other people can see the implementation it can become scrutinized by folks outside the team that develops and maintains it.

In the case of Heartbleed the system works. A problem was found, it was fixed it's now just a matter of rolling out the fix and regressions are put into place to help insure that it doesn't happen again. The repercussions of what it means is that another gaping hole in our privacy was closed and that "bad guys" may have stolen data, rollout the fix ASAP. Your guess is as good as mine as to what was stolen is a matter of research and conjecture at this point. I doubt that the bad guys will tell us what they gained by exploiting it. Let's also be sure that until the systems with the bug are patched, they're vulnerable so cleanup on aisle 5.

To be honest it's a bit naive if we all assume that FOSS software that handles security doesn't have potential vulnerabilities. Likewise it's also naive to assume that proprietary code has it licked as well given the revelations of NSA spying for the past year. Given that there are numerous nefarious companies that sell vulnerabilities to anybody who can pay for it, that means unless you're buying them you probably will never know what is exposed until somebody trips over it. What this means for everybody that you can depend on is when those vulnerability-selling companies are out of business can assume that your software is free of the easier to exploit vulnerabilities; governments will always use all their tools to get intelligence including subverting standards and paying off companies who can give them access to what they want.

Re:heartbleed

I'm not going to yell about the openSSL guys.

I'm going to be honest here, they deserve yelling at, and I'm an open source fan. The error they made is exactly the same mistake that everyone else has made in years past when dealing with SSL: x509 and the SSL protocol demands [lengthofstring][string], "pascal" style. This is how everyone (open and closed source) got hit with that domain validation bug where the certificate said "(26)bank.com\0.blahblahblah.com". Certificate signers looked at the domain on the end of the string "blahblahblah.com" and validated it. Client programs treated it like a C string and thought it was a certificate for "bank.com". Not a single person anywhere said "whoa there, null bytes are not part of a valid hostname!"

The attack asks server to respond with "(65535)Hello" and the server replies with 65535 bytes of data. Falling for this attack is exactly like the guy who points and laughs at the person who just fell off their bike, seconds before falling off their own bike. They should have known better, especially with how high-profile these attacks were in the past.

The bit about writing their own malloc implementation, poorly, was just icing on the cake.

FreeBSD looks just as good as Linux

[Lawrence_Bird]

with nearly 2x the LOC.

Re:Code Quality Sucks on Either

[viperidaenz]

"none, because someone might find out I've made the code worse, not better"

Re:Biased data set perhaps?

[Squiggle]

I would expect both "open source" code to be of approximately equal quality to proprietary code. In each ideology you will get people who care (about quality), and people who don't, in approximately equal proportions, the same with skill, ingenuity and passion for the work.

The difference is that proprietary software is constrained by the number of developers able to view and work on the code. An open source project may have a similar number, or smaller set of core developers, but a much larger pool of developers that can spot problems, suggest alternatives, fix the one bug that is affecting them, etc. Having a more diverse set of developers will increase the chances that the software improves.

You could also make an argument about the motivations of the developers. Open source projects are often a community of people passionate about what they are building and have a strong incentive to make their code readable by others. By the nature of open source a developers reputation is on the line with every bit of code they make public. I've met far more developers scared to make their horrible code public than those worried about getting fired for equivalently horrible code.

Re:heartbleed

[loom_weaver]

Disclaimer, I work for Coverity. There's a write-up on why Coverity didn't find it out of the box here:

http://security.coverity.com/b...

Did they test OpenSSL?

[jonwil]

With all the noise about OpenSSL lately, running this Coverity test on it (and other security software like GNUTLS) and sharing the results seems like it would be a good thing...

Re:Did they test OpenSSL?

[ljw1004]

They did examine heartbleed.

http://ericlippert.com/2014/04...

Did you write your improvements in C+ ?

[raymorris]

Your four-sentence comment has five glaring errors that make it obvious that you have absolutely no idea what you're talking about. You very much remind me of the job applicant who told me he has experience in C, C+, and C++.

Quality of people process

[hessian]

If you have good quality people, especially a good leader, your code will be good.

Even if the people are relatively inexperienced.

At this point, just about everything in IT/CS is a research project, not innovation.

So it's a matter of diligently doing the work based on past archetypes.

There is no comparision

[Murdoch5]

Some open source projects will have better code then closed source projects and vice vesa, you can't just make a clean line.

Re:Not a surprise, but no reflection of O/S vs Pro

[gbjbaanb]

are you sure about that?

unsafe
{
// srcPtr and destPtr are IntPtr's pointing to valid memory locations
// size is the number of long (normally 4 bytes) to copy
    long* src = (long*)srcPtr;
    long* dest = (long*)destPtr;
    for (int i = 0; i < size / sizeof(long); i++)
    {
        dest[i] = src[i];
    }
}

that's valid C#, all you need to do is inject something like that into the codebase and let the JIT compile it (using all the lovely features they added to support dynamic code) and you're good to get all the memory you like.

Now I know the CLR will not let you do this so easily, but there's always a security vulnerability lying around waiting to be discovered that will, or an unpatched system that already has such a bug found in any of the .NET framework, for example this one that exploits... a "buffer allocation vulnerability", and is present in Silverlight.

The moral is ... don't think C programs are somehow insecure and managed languages are perfectly safe.

Unsafe code

[KingMotley]

Yes, so your argument is that you can, with great difficulty cause a possible security issue in C#, but in order to do so, you have to basically say... I'm about to do something possibly bad, please don't check to make sure what I'm doing is bad. Then modify the compiler from default to allow said code to be compiled, then put it into a fully trusted assembly so it bypasses all security checks, and THEN you might have an issue.

and this is comparision to where in C/C++ where you can write an exploit in 2 lines of code by accident, using nothing but defaults.