Linux Foundation Project Will Evaluate Security of Open Source Software

← Back to Stories (view on slashdot.org)

Linux Foundation Project Will Evaluate Security of Open Source Software

Posted by Soulskill on Friday August 21, 2015 @01:37AM from the if-boy-scouts-found-zero-days dept.

An anonymous reader writes: The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software. The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses and is also coordinating the CII's Census Project, and Dan Kohn, a senior adviser on the CII.

37 comments

Min score:

Reason:

Sort:

This is a good thing... apk by Anonymous Coward · 2015-08-21 01:55 · Score: 0

Per my subject: It's something I heard John McAfee speak of (via his videos on YouTube), that "Open SORES" has very little quality assurance vs. commercially developed closed-source ware... & I tend to agree with him on that note.
* That "all said & aside" - thus, this IS a GOOD thing for the quality of open source wares then.
APK
P.S.=> It's needed - You MAY save "up front" by reusing OTHERS' code &/or wares via open source, but, here's the "flipside/downside" to it - not as much quality control... apk
1. Re:This is a good thing... apk by Anonymous Coward · 2015-08-21 02:39 · Score: -1
  
  You ever think of maybe finding a girlfriend? You can always date a fat chick if no self-respecting woman will have you (seems likely). It would still be better than sounding like the TimeCube guy all the time. Seriously, you're a raving lunatic. Now go convince yourself that by saying this, I "lost" something and you "won" some kind of "victory" that nobody cares about. That is, after all, one of your trademark maladaptive behaviors. I understand though, really. Without such defense mechanisms to keep your ego inflated, you'd have some kind of nervous breakdown at realizing how pathetic you are.
2. Re:This is a good thing... apk by Anonymous Coward · 2015-08-21 03:09 · Score: 0
  
  You care you constantly lose to apk. You're reply projects apk always wins.
3. Re:This is a good thing... apk by Barsteward · 2015-08-21 04:58 · Score: 1
  
  someone takes John McAfee seriously??? the fact that his company writes software to try and fix the deficiencies in Windows operating systems blows that comment out of the water
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
Just one request... by Penguinisto · 2015-08-21 01:57 · Score: 4, Interesting

Please, please, PLEASE do not let this thing get morphed into Yet Another Certification Program.
Considering the expense and the mind-chewing bureaucratic colonoscopy that PCI (and similar) usually requires, I'd hate to see something similar have to happen to OSS dev projects - they can't afford that shit (either in time, attention, or money).
If you're truly going to do it? Advise, not dictate. Not all OSS projects have big-name sponsors and gobs of money, so make it a service to the smaller ones if you can.

--
Quo usque tandem abutere, Nimbus, patientia nostra?
drunk by Anonymous Coward · 2015-08-21 02:01 · Score: 1

My criteria is "not being drunk between christmas and new year eve while you commit a very important modification to a critical security library."
1. Re:drunk by Anonymous Coward · 2015-08-21 03:07 · Score: 0
  
  Why don't we get drunk and screw? (As in, a lightbulb)
Not that I am bitter by Stormcrow309 · 2015-08-21 02:06 · Score: 1

And the black-hats promptly try really hard to compromised the evaluation process... 0 day express in 3.. 2..

--
In God we trust, all others require data.
1. Re:Not that I am bitter by Anonymous Coward · 2015-08-21 02:27 · Score: 0
  
  And the black-hats promptly try really hard to compromised the evaluation process... 0 day express in 3.. 2..
  Yeah I really envy the Windows users. When will Linux finally be ready for the desktop? When it achieves compatibility with all that great malware out there! I need something more substantial than bots constantly trying to SSH as "root:passw0rd". Really I'm feeling left out over here. I need the EXCITEMENT of wondering what will infect my system next.
  Captcha: corrode
2. Re:Not that I am bitter by Stormcrow309 · 2015-08-21 02:46 · Score: 1
  
  Obviously, you don't run Apache... for a couple of years, that was a daily game. It isn't a dig at Open Source security, even though they have had their security nightmares. The problem is we have now a human process, which is very easy to compromise... In addition, will we see groupthink cause significant issues to be ignored, a problem currently not in existence within the open source community (sarcasm). It will be interesting and is better then what we have seen in the past.
  
  --
  In God we trust, all others require data.
3. Re:Not that I am bitter by Anonymous Coward · 2015-08-21 07:57 · Score: 1
  
  Android, a Linux itself, proves compatibility with all the new malware for smartphones out there like no other does.
Open source = amateur hour by Anonymous Coward · 2015-08-21 02:18 · Score: -1

I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications. Sometimes it's OK to roll the dice on your home computer if you understand the risks and maintain adequate backups, but I recommend for my business clients never to use open source as you are literally entrusting your entire business to some unknown programmer who may or may not know what the hell they are doing and has zero accountability for mistakes.
1. Re:Open source = amateur hour by robsku · 2015-08-21 02:44 · Score: 1
  
  Not seeing what kind of mess the source code is may help some people sleep. Having identified one security breach since I moved from proprietary OS to open source one in 2002, leading to less than a percent of any and all applications I use being proprietary, and that breach was because of a bug in wordpress and compromised only my web server, really helps me sleep better. Before that breaks were normal - yet I didn't even run any server software meant to be accessed from outside back then.
  
  --
  In capitalist USA corporations control the government.
2. Re:Open source = amateur hour by Anonymous Coward · 2015-08-21 02:48 · Score: 1
  
  I know I shouldn't feed the troll, but exactly how is this different from commercial software? I have only worked on commercial projects and most of the code is horrible. They are pushed to get the software installed and in production so money can be made. There is lots of cruft and hacks the customer will never see, thank god.
3. Re:Open source = amateur hour by Anonymous Coward · 2015-08-21 02:52 · Score: 1
  
  I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications. Sometimes it's OK to roll the dice on your home computer if you understand the risks and maintain adequate backups, but I recommend for my business clients never to use open source as you are literally entrusting your entire business to some unknown programmer who may or may not know what the hell they are doing and has zero accountability for mistakes.
  "Unknown programmers", you say. So you have the names and contact information of each individual programmer who wrote Windows or whatever other commercial software you are using? No? In fact my own experience is - open source is the only time I have ever been able to directly contact the person who wrote (or maintains) the software, and not some useless scripted help-desk! Accountability? Did you ever read a standard commercial EULA before you agreed to it? Disclaiming liability is one of their primary purposes!
  If you want that kind of ability to "entrust your business", you buy a support contract. Otherwise you won't get accountability from anyone, doesn't matter what license they use. Now I know you failed to notice this, but plenty of open source vendors offer support contracts, just like the closed-source vendors. Check out Red Hat Enterprise if you want a really prominent example.
  You might be trolling, then again you might not be. So very many people feel a need to complain about things they clearly don't understand, ignoring readily available information that contradicts their cherished views ... well, it gets hard to tell.
4. Re:Open source = amateur hour by Anonymous Coward · 2015-08-21 02:58 · Score: 0
  
  You are painting with a broad brush.
  The barrier to entry is much less in the Open Source community. Of course there are amateur developers out there. There are also excellent programmers out there.
  Roll the dice you say? Have you ever heard of virtual machines, or, I don't know, actually reading the source code? Oh, you can't read code? Oh, you're just blowing smoke? Ah. Yes.
5. Re:Open source = amateur hour by Anonymous Coward · 2015-08-21 03:06 · Score: 0
  
  I don't read code. I can't read code, and even if I could I don't have the time. I shouldn't have to, I just want software that fucking works the way it's supposed to and for some reason these days it seems to be more rare than leprechaun's gold.
6. Re:Open source = amateur hour by Bengie · 2015-08-21 05:16 · Score: 1
  
  I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications.
  You had me at this, but then lost me with
  
  but I recommend for my business clients never to use open source
  Yes, some popular parts of open source could use an huge overhaul on coding practices and designs, but they're still pretty decent most of the time. Especially the core code, like the Linux Kernel, lots of great code quality overall.
What about the kernel security breach? by Anonymous Coward · 2015-08-21 02:28 · Score: 0

kernel.org promised a full write-up regarding the security breach in 2011
Where is it? Why can't that be finished first?
1. Re:What about the kernel security breach? by Lazere · 2015-08-21 03:53 · Score: 1
  
  Because kernel.org=/=The Linux Foundation?
SHRINK THE BLOAT by Anonymous Coward · 2015-08-21 02:49 · Score: 0

We can't even begin to talk about security seriously until we start talking about eliminating the bloat. My browser exceeds the size of my first operating system (installed, not floppy based). We can't begin to eliminate the bugs (which is what real security is all about) if there is an excess amount of code to review.
Instead of trying to review all the code we should reduce the code base to core critical components. Does the image library really need to support two dozen image file formats? Or can we get away with just a small handful of formats that are actually used?
24 years too late by Anonymous Coward · 2015-08-21 02:50 · Score: 0

P0wned!
ROTFLMAO - take your own advice... apk by Anonymous Coward · 2015-08-21 02:53 · Score: 0

See subject, get on topic, grow up & realize 1 thing: I've had more women that you'll *EVER* get in your entire lifetime in my 20's-30's alone...
APK
P.S.=> Lastly - Hey, it's not MY fault you're one of my 'naysayers' that just CANNOT ever get the better of me & especially on my points on hosts files - it's yours, loser... apk
1. Re:ROTFLMAO - take your own advice... apk by Anonymous Coward · 2015-08-21 04:20 · Score: 0
  
  I take it [b]all back[/b]. I am a [b]virgin[/b] and will die alone.
  P.S.=> HOSTS!!
DoD connections by Anonymous Coward · 2015-08-21 03:01 · Score: 0

Member of the defense establishment, works with the NSA. Can he be trusted?
short self-assess. Bug tracker, git, test suite by raymorris · 2015-08-21 03:02 · Score: 2

The current proposal involves a short self-assessment questionnaire and an automated script which checks a few things. The current (very early) draft of possible criteria is here:
https://github.com/linuxfounda...
Major items include a big tracker (with responses to security bugs), source control, and peer review. These are all standard best practices which improve software quality.
If you have a one-person project and can't get someone else to review your commits, that's okay. You can keep doing what you're doing. However, your software also can't be expected to be as reliable and secure as something like Moodle, in which AT LEAST three people review all changes. Therefore Moodle would be able to use the badge and you wouldn't, until you got another person to look at your changes. Having some criteria for the badge actually makes it more useful for small projects because you can choose to use libraries which are badged and have some indication that they're somewhat reliable and secure.
The one pair of proposed criteria that isn't already done by most projects is use of a static analysis tool and a dynamic analysis tool. There are free , open source tools available and using them does reduce bugs and improve performance . Using them would be a change for many developers, but probably in the long term it'll save you more time than it costs.
1. Re:short self-assess. Bug tracker, git, test suite by Anonymous Coward · 2015-08-21 05:50 · Score: 0
  
  I take it Moodle is your pet project?
That's nothing to brag about! by Anonymous Coward · 2015-08-21 03:09 · Score: -1

See subject, get on topic, grow up & realize 1 thing: I've had more women that you'll *EVER* get in your entire lifetime in my 20's-30's alone...
You had to keep finding new ones, of course. Women tend to get a bit freaked out when, during a moment of passion, you call out "OH HOST FILES. HOST FILES. OH YESSSS HOST FILESSS!!!". Then they stop returning your calls.
No brag: Just fact/truth... apk by Anonymous Coward · 2015-08-21 03:14 · Score: 0

See subject: It's what I always burn fools like you w/ on hosts files...
* :)
(It just works...)
APK
P.S.=> I didn't "find them" - they'd pick me (especially vs. "ne'er-do-well"'s like yourself, lol)... apk
Every public venue is amateur hour ... by perpenso · 2015-08-21 03:39 · Score: 1

Every public distribution channel is amateur hour, open source or commercial. Look at your favorite app store.

That said, while fully acknowledging the shortcomings of many such apps its wrong to be negative about some of the authors. Many are quite literally beginners, working on their first non-trivial program. The fact that they started and finished a non-trivial project puts them in the top echelon of their peers. High marks and congratulations for getting it done, now let me brutally comment on your implementation details, a public peer review of sorts. Learn, keep at it, you will become very good at this.

To a developer honest negative feedback is far more useful than positive feedback. It leads to product improvement. Positive feedback is for marketing blurbs.
1. Re:Every public venue is amateur hour ... by MacDork · 2015-08-21 04:48 · Score: 2
  
  Every public distribution channel is amateur hour, open source or commercial.
  This. If the download is compromised, it doesn't matter how secure the source is. Maybe what you thought was XCode is actually a CIA rootkit.
  Why is there no gpg signature on Eclipse.org downloads? Why are the jars in the eclipse executable even signed if the signatures are not verified by default in Eclipse? Why does the Oracle Java 8 ppa:webupd8team for Ubuntu download and install from http sources just after I typed in sudo?
"Impersonating" me now? LMAO... apk by Anonymous Coward · 2015-08-21 07:10 · Score: 0

See subject: You truly have issues & project them constantly, failing vs. myself @ every turn...
* You're TRULY pitiful...
APK
P.S.=> I really mean it - you're not only an off-topic illogical immature fool, but you project your own weaknesses with every reply - especially in having to effetely & VAINLY attempt to 'impersonate' me... apk
I certainly do - why? Ok... apk by Anonymous Coward · 2015-08-21 07:17 · Score: 0

See subject: He's accomplished more than 99% of those here, including myself AND certainly more than you (Which blows YOU right outta the water, easily) & definitely more than the anonymous little unidentifiable little clown that thinks like a teenager does who even vainly tried to impersonate me here in this exchange...
* That's certain...
(In fact, the only person I know of here on /. that's a member here that's actually done BETTER? Mr. John Carmack (the 1st & ONLY person I ever used my registered account here to reply to in fact, & I only used it that one time)).
APK
P.S.=> In fact, he's done SO much, he can pretty much LAUGH @ ANYONE right in their faces (not his style though) because of it (& he does - I loved his 'how to uninstall McAfee antivirus' youtube video in fact)... apk
Intentional/unintentional use? by duggman · 2015-08-21 07:41 · Score: 1

I can see this being used to knock out open source competitors.
yeah, I'm at least three people by raymorris · 2015-08-21 08:44 · Score: 1

"Something like Moodle where AT LEAST three people review any change".
Yeah, Moodle is my pet project; I'm at least three people.
All? Including games? by Anonymous Coward · 2015-08-21 13:19 · Score: 0

It isn't just going to be the Debian buffer overflow mailing list police going to stifle the creative processes of many?
Open Source? I thought linux was FREE software by Anonymous Coward · 2015-08-21 13:26 · Score: 0

I thought GNU/linux was supposed to be Free as in speech not cost, and not open source.. Why are they calling linux open source? GNGNGNGNGNG. I'm confused.