Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Quality: Open Source vs. Proprietary

Posted by Soulskill on from the put-your-money-where-your-code-is dept.

just_another_sean sends this followup to yesterday's discussion about the quality of open source code compared to proprietary code. Every year, Coverity scans large quantities of code and evaluates it for defects. They've just released their latest report, and the findings were good news for open source. From the article: "The report details the analysis of 750 million lines of open source software code through the Coverity Scan service and commercial usage of the Coverity Development Testing Platform, the largest sample size that the report has studied to date. A few key points: Open source code quality surpasses proprietary code quality in C/C++ projects. Linux continues to be a benchmark for open source quality. C/C++ developers fixed more high-impact defects. Analysis found that developers contributing to open source Java projects are not fixing as many high-impact defects as developers contributing to open source C/C++ projects."

8 of 139 comments (clear)

  1. Managed langauges by Anonymous Coward · · Score: 5, Insightful

    Java project developers participating in the Scan service only fixed 13 percent of the identified resource leaks, whereas participating C/C++ developers fixed 46 percent. This could be caused in part by a false sense of security within the Java programming community, due to protections built into the language, such as garbage collection. However, garbage collection can be unpredictable and cannot address system resources so these projects are at risk.

    This is especially amusing in light of all the self-righteous bashing that C was getting over OpenSSL's problems. Seems it's true that using a "safe "language just makes the programmer lazy.

    1. Re:Managed langauges by sexconker · · Score: 5, Funny

      Apparently you missed the cyrpto flaws in Android 's Java crypto library from last year that exposed private keys. Apparently writing things in Java guarantees jack and shit.

      No, writing things in Java guarantees your shit will be jacked.

    2. Re:Managed langauges by Anonymous Coward · · Score: 5, Interesting

      You mean this one, lol?

      Solution: The vendor has issued a fix for the Android OpenSSL implementation and has distributed patches to Android Open Handset Alliance (OHA) partners.

      Oh, that notorious piece of Java code, OpenSSL!

    3. Re:Managed langauges by Darinbob · · Score: 5, Interesting

      I also think that with a low level language that more developers are aware of potential problems than developers using high level languages. In some sense I think this is also due to the types of programs being developed. C/C++ today is common used for embedded systems, operating systems, runtime libraries, compilers, security facilities, and so forth. So systems programmers versus application programmers versus apps programmers. The system programmers are forced to take a close look at the code and must be mindful of how the code affects the system. I think that if you had such a comparison done back in the 80s that the numbers would be different because many more application programmers were using C/C++.

      Ie, interview for a systems programmer: do you know about priority inversion, do you understand how the hardware works, do you know the proper byte order to use, what does the stack look like, etc.
      Interview for the modern applications programmer: have you memorized the framework and library facilities.

  2. Ah, Coverity by ceoyoyo · · Score: 5, Insightful

    Coverity: Hey you, proprietary software developer with the deep pockets. Yeah, you. We've got this great tool for finding software defects. You should buy it.

    Proprietary software developer: get lost.

    Coverity: Hey, open source dudes, we've got this great defect scanner. Want to use it? Free of course!

    Open source dudes: Meh, why not?

    Coverity: Hey proprietary software developer, did we mention those dirty hippie neck beards are beating the stuffing out of you in defect (that we detect)-free code?

    PSD: Fine, how much?

  3. Re:heartbleed by Anonymous Coward · · Score: 5, Interesting

    I'm not going to yell about the openSSL guys.

    I'm going to be honest here, they deserve yelling at, and I'm an open source fan. The error they made is exactly the same mistake that everyone else has made in years past when dealing with SSL: x509 and the SSL protocol demands [lengthofstring][string], "pascal" style. This is how everyone (open and closed source) got hit with that domain validation bug where the certificate said "(26)bank.com\0.blahblahblah.com". Certificate signers looked at the domain on the end of the string "blahblahblah.com" and validated it. Client programs treated it like a C string and thought it was a certificate for "bank.com". Not a single person anywhere said "whoa there, null bytes are not part of a valid hostname!"

    The attack asks server to respond with "(65535)Hello" and the server replies with 65535 bytes of data. Falling for this attack is exactly like the guy who points and laughs at the person who just fell off their bike, seconds before falling off their own bike. They should have known better, especially with how high-profile these attacks were in the past.

    The bit about writing their own malloc implementation, poorly, was just icing on the cake.

  4. Re:Not a surprise by Anonymous Coward · · Score: 5, Funny

    You can't even attribute a quote correctly.
    Linus was the guy that said "Look what you did to my code! You @#$%&! I'm gonna @#)+-*&$! You. You &$(#*%+.

  5. Re:heartbleed by loom_weaver · · Score: 5, Informative

    Disclaimer, I work for Coverity. There's a write-up on why Coverity didn't find it out of the box here:

    http://security.coverity.com/b...