Slashdot Mirror
Linux Foundation Project Will Evaluate Security of Open Source Software
An anonymous reader writes: The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software. The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses and is also coordinating the CII's Census Project, and Dan Kohn, a senior adviser on the CII.
Per my subject: It's something I heard John McAfee speak of (via his videos on YouTube), that "Open SORES" has very little quality assurance vs. commercially developed closed-source ware... & I tend to agree with him on that note.
* That "all said & aside" - thus, this IS a GOOD thing for the quality of open source wares then.
APK
P.S.=> It's needed - You MAY save "up front" by reusing OTHERS' code &/or wares via open source, but, here's the "flipside/downside" to it - not as much quality control... apk
Please, please, PLEASE do not let this thing get morphed into Yet Another Certification Program.
Considering the expense and the mind-chewing bureaucratic colonoscopy that PCI (and similar) usually requires, I'd hate to see something similar have to happen to OSS dev projects - they can't afford that shit (either in time, attention, or money).
If you're truly going to do it? Advise, not dictate. Not all OSS projects have big-name sponsors and gobs of money, so make it a service to the smaller ones if you can.
Quo usque tandem abutere, Nimbus, patientia nostra?
My criteria is "not being drunk between christmas and new year eve while you commit a very important modification to a critical security library."
And the black-hats promptly try really hard to compromised the evaluation process... 0 day express in 3.. 2..
In God we trust, all others require data.
kernel.org promised a full write-up regarding the security breach in 2011
Where is it? Why can't that be finished first?
Not seeing what kind of mess the source code is may help some people sleep. Having identified one security breach since I moved from proprietary OS to open source one in 2002, leading to less than a percent of any and all applications I use being proprietary, and that breach was because of a bug in wordpress and compromised only my web server, really helps me sleep better. Before that breaks were normal - yet I didn't even run any server software meant to be accessed from outside back then.
In capitalist USA corporations control the government.
I know I shouldn't feed the troll, but exactly how is this different from commercial software? I have only worked on commercial projects and most of the code is horrible. They are pushed to get the software installed and in production so money can be made. There is lots of cruft and hacks the customer will never see, thank god.
We can't even begin to talk about security seriously until we start talking about eliminating the bloat. My browser exceeds the size of my first operating system (installed, not floppy based). We can't begin to eliminate the bugs (which is what real security is all about) if there is an excess amount of code to review.
Instead of trying to review all the code we should reduce the code base to core critical components. Does the image library really need to support two dozen image file formats? Or can we get away with just a small handful of formats that are actually used?
P0wned!
I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications. Sometimes it's OK to roll the dice on your home computer if you understand the risks and maintain adequate backups, but I recommend for my business clients never to use open source as you are literally entrusting your entire business to some unknown programmer who may or may not know what the hell they are doing and has zero accountability for mistakes.
"Unknown programmers", you say. So you have the names and contact information of each individual programmer who wrote Windows or whatever other commercial software you are using? No? In fact my own experience is - open source is the only time I have ever been able to directly contact the person who wrote (or maintains) the software, and not some useless scripted help-desk! Accountability? Did you ever read a standard commercial EULA before you agreed to it? Disclaiming liability is one of their primary purposes!
If you want that kind of ability to "entrust your business", you buy a support contract. Otherwise you won't get accountability from anyone, doesn't matter what license they use. Now I know you failed to notice this, but plenty of open source vendors offer support contracts, just like the closed-source vendors. Check out Red Hat Enterprise if you want a really prominent example.
You might be trolling, then again you might not be. So very many people feel a need to complain about things they clearly don't understand, ignoring readily available information that contradicts their cherished views ... well, it gets hard to tell.
See subject, get on topic, grow up & realize 1 thing: I've had more women that you'll *EVER* get in your entire lifetime in my 20's-30's alone...
APK
P.S.=> Lastly - Hey, it's not MY fault you're one of my 'naysayers' that just CANNOT ever get the better of me & especially on my points on hosts files - it's yours, loser... apk
You are painting with a broad brush.
The barrier to entry is much less in the Open Source community. Of course there are amateur developers out there. There are also excellent programmers out there.
Roll the dice you say? Have you ever heard of virtual machines, or, I don't know, actually reading the source code? Oh, you can't read code? Oh, you're just blowing smoke? Ah. Yes.
Member of the defense establishment, works with the NSA. Can he be trusted?
The current proposal involves a short self-assessment questionnaire and an automated script which checks a few things. The current (very early) draft of possible criteria is here:
https://github.com/linuxfounda...
Major items include a big tracker (with responses to security bugs), source control, and peer review. These are all standard best practices which improve software quality.
If you have a one-person project and can't get someone else to review your commits, that's okay. You can keep doing what you're doing. However, your software also can't be expected to be as reliable and secure as something like Moodle, in which AT LEAST three people review all changes. Therefore Moodle would be able to use the badge and you wouldn't, until you got another person to look at your changes. Having some criteria for the badge actually makes it more useful for small projects because you can choose to use libraries which are badged and have some indication that they're somewhat reliable and secure.
The one pair of proposed criteria that isn't already done by most projects is use of a static analysis tool and a dynamic analysis tool. There are free , open source tools available and using them does reduce bugs and improve performance . Using them would be a change for many developers, but probably in the long term it'll save you more time than it costs.
I don't read code. I can't read code, and even if I could I don't have the time. I shouldn't have to, I just want software that fucking works the way it's supposed to and for some reason these days it seems to be more rare than leprechaun's gold.
See subject: It's what I always burn fools like you w/ on hosts files...
* :)
(It just works...)
APK
P.S.=> I didn't "find them" - they'd pick me (especially vs. "ne'er-do-well"'s like yourself, lol)... apk
Every public distribution channel is amateur hour, open source or commercial. Look at your favorite app store.
That said, while fully acknowledging the shortcomings of many such apps its wrong to be negative about some of the authors. Many are quite literally beginners, working on their first non-trivial program. The fact that they started and finished a non-trivial project puts them in the top echelon of their peers. High marks and congratulations for getting it done, now let me brutally comment on your implementation details, a public peer review of sorts. Learn, keep at it, you will become very good at this.
To a developer honest negative feedback is far more useful than positive feedback. It leads to product improvement. Positive feedback is for marketing blurbs.
I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications.
You had me at this, but then lost me with
but I recommend for my business clients never to use open source
Yes, some popular parts of open source could use an huge overhaul on coding practices and designs, but they're still pretty decent most of the time. Especially the core code, like the Linux Kernel, lots of great code quality overall.
See subject: You truly have issues & project them constantly, failing vs. myself @ every turn...
* You're TRULY pitiful...
APK
P.S.=> I really mean it - you're not only an off-topic illogical immature fool, but you project your own weaknesses with every reply - especially in having to effetely & VAINLY attempt to 'impersonate' me... apk
See subject: He's accomplished more than 99% of those here, including myself AND certainly more than you (Which blows YOU right outta the water, easily) & definitely more than the anonymous little unidentifiable little clown that thinks like a teenager does who even vainly tried to impersonate me here in this exchange...
* That's certain...
(In fact, the only person I know of here on /. that's a member here that's actually done BETTER? Mr. John Carmack (the 1st & ONLY person I ever used my registered account here to reply to in fact, & I only used it that one time)).
APK
P.S.=> In fact, he's done SO much, he can pretty much LAUGH @ ANYONE right in their faces (not his style though) because of it (& he does - I loved his 'how to uninstall McAfee antivirus' youtube video in fact)... apk
I can see this being used to knock out open source competitors.
"Something like Moodle where AT LEAST three people review any change".
Yeah, Moodle is my pet project; I'm at least three people.
It isn't just going to be the Debian buffer overflow mailing list police going to stifle the creative processes of many?
I thought GNU/linux was supposed to be Free as in speech not cost, and not open source.. Why are they calling linux open source? GNGNGNGNGNG. I'm confused.