Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Government Studies Open Source Quality

ScuttleMonkey posted more than 8 years ago | from the prefer-just-to-stay-off-of-dhs-radar dept.

165

anadgouda writes "US Department of Homeland Security has released a report on open source quality in an effort to study the security of open source. 31 popular open source packages were studied as part of this effort. From the article: 'Coverity's report, Stacking up the LAMP stack: a study of open source quality, was produced as part of a $1.24m, three-year DHS Science and Technology Directorate effort to evaluate and improve the security of open source.'"

cancel ×

165 comments

Sorry! There are no comments related to the filter you selected.

./ it self (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14850693)

What happened did /. slashdot itself?

Is this the same bunch? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14850698)

If the evaluation put forth by Dept of Homeland Security is as shakey as their efforts with Hurricane Katrina I doubt anyone will take this seriously.

Re:Is this the same bunch? (0)

Anonymous Coward | more than 8 years ago | (#14850720)

Trolltard,

Department of Homeland Security is not the Federal Emergency Management Agency.

Re:Is this the same bunch? (0)

Anonymous Coward | more than 8 years ago | (#14850851)

Uh, FEMA now falls under the unbrella of DHS. DHS was ultimately in charge of FEMA during Katrine. So basically, you're wrong.

Re:Is this the same bunch? (0)

Anonymous Coward | more than 8 years ago | (#14850886)

Bad with logic _and spelling? What a winner.

So, (4, Interesting)

Eightyford (893696) | more than 8 years ago | (#14850700)

So, does anyone have the numbers as to how much of the government uses open source? Is it mostly an applications thing (OpenOffice) right now, or are Linux and the BSDs much in use?

Re:So, (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14850718)

What's the point of the "So" at the start of your sentence? It doesn't give any more information. It doesn't even elaborate on or give emotion to any other information in your sentence. Try removing it - you will find your sentence works just as well.

Re:So, (1)

Eightyford (893696) | more than 8 years ago | (#14850732)

What's the point of the "So" at the start of your sentence? It doesn't give any more information. It doesn't even elaborate on or give emotion to any other information in your sentence. Try removing it - you will find your sentence works just as well.

Ugh, it adds a bit of casualness to the sentence.

Re:So, (0)

Anonymous Coward | more than 8 years ago | (#14850766)

His topic is 'So'.

Re:So, (0)

Anonymous Coward | more than 8 years ago | (#14850739)

So, thanks for pointing that out?

Re:So, (1)

Angostura (703910) | more than 8 years ago | (#14850846)

What's the point of the "So" at the start of your sentence? It doesn't add information, emotion or elaborate any facts. Try removing it - you will find your sentence works just as well.

Fixed that for you.

Re:So, (1)

lengau (817416) | more than 8 years ago | (#14850928)

So what's the point of your post? His grammar was still correct.

Re:So, (2, Funny)

jtev (133871) | more than 8 years ago | (#14851627)

It's called an explitive. Yes, realy, the word is an actual part of speach, though common usage has twisted it into meaning words that are unacceptable for publication. An explitive is a word that adds flavor to written or spoken communication that does not alter the meaning of that communication. Thank you for playing the grammar game, but please, understand what you're criticizing before you play again.

Re:So, (1, Informative)

Anonymous Coward | more than 8 years ago | (#14851749)

"Thank you for playing the grammar game, but please, understand what you're criticizing before you play again."

The correct spelling is expletive.
Sorry, YFI.

Re:So, (1)

Neoprofin (871029) | more than 8 years ago | (#14850723)

I would say more in the vein of Linux/BSD at least so far as the NSA having their own security oriented distro which is availible for download on their site.

Yes (5, Interesting)

jascat (602034) | more than 8 years ago | (#14850847)

While not used on every desktop, I know of a lot of F/OSS being used everyday in the military. It would be stupid to not use it. Why would companies like Redhat and Novell spend money on getting their software certified to run on classified systems if it wasn't going to get used? While we may be selling out to Microsoft a lot, there are times when those of us who know better manage to convince the decision makers of the right tool for the job. In some cases, it's a MS product, in others, it's something else.

Re:So, (1)

Voltageaav (798022) | more than 8 years ago | (#14851326)

It depends on what it's for. The vast majority of DoD machines have Windows, but there are rome redhat boxes around as well. I've only seen OS programs on the Linux boxes beyond seeing Firefox every once in a while...

Re:So, (1)

LordVaderSithLord (958227) | more than 8 years ago | (#14851375)

I know that the personnel boxes that the military uses are Unix based

Re:So, (1)

squallbsr (826163) | more than 8 years ago | (#14851587)

The government is somewhat scared of OpenSource, especially in the government secrets world. It doesn't make much sense to be scared of OpenSource, but the argument that has been given time and time again is that anybody can look at the source code and hack into the system. This pertains more for the smaller projects that would be useful in the development on some government made software product. There are a few Linux distributions on the "safe list" and also OSX is on that list too. I think the argument that other people have access to the source code holds no water - keep in mind that China has the source code to Windows. And with MSFT's attempt to appease the EU by making available the source code (under very tight NDAs) to developers. I think that it is better to have the code out in the open for all to see (and fix). Unfortunately I cannot change the mind of the government.

Re:So, (4, Interesting)

egypt_jimbob (889197) | more than 8 years ago | (#14851759)

Speaking as a student about to graduate and go into Federal Civil Service as a penetration tester, I can tell you that all of the agencies with which I have interviewed use mostly Linux. Well, all of the agencies that are actually good at what I want to do.

So far it's been mostly gentoo from what i've seen, but there are some places that have to use RedHat because their management said it has to have 'support.'

Bear in mind, however, that the places i'm interviewing are hardcore hacker groups, so this may be (and probably is) completely off the norm.

LOL (1)

Original AIDS Monkey (315494) | more than 8 years ago | (#14850703)

Studying the "quality" of open sores software is like studying the blueness of the color red. Our tax dollars at work!

Evaluate and Improve (5, Insightful)

Jeremy.DeGroot (878927) | more than 8 years ago | (#14850708)

I think it's great that the government is backing this kind of study, and I think the the high marks a lot of packages received will really be a boon to the OSS movement. I think the part of TFA that excites me the most though, is this:
Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.
If they're going to take their comments back to the communities that develop the software, then this could give the development communities a lot to work on and improve, and that could give us some greatly improved software in a year or two's time. I think work like this is the real strength of Open Source, and I hope to see more of it in the future.

MOD PARENT DOWN (4, Funny)

Anonymous Coward | more than 8 years ago | (#14850812)

The parent is wasting valuable time on Slashdot that should be spent finalizing his Independent Study project for the College of Wooster [wooster.edu] . He has precious little time left.

Re:MOD PARENT DOWN (2, Interesting)

Jeremy.DeGroot (878927) | more than 8 years ago | (#14850937)

If this came from who I think it did, your IS ain't in any better shape than mine, buddy. :-p

Re:Evaluate and Improve (1)

T-Ranger (10520) | more than 8 years ago | (#14850877)

I wonder how many of the potential suggestions have been made by the OpenBSD crew, and already rejected....

Re:Evaluate and Improve (1)

Anonymous Coward | more than 8 years ago | (#14851475)

Actually two of the OpenBSD developers worked for Coverity last I heard (i.e. Ted Unangst and Peter Hessler). This probably gives them some influence ...

So they submitted Bugs, Right? (5, Interesting)

BigBuckHunter (722855) | more than 8 years ago | (#14850710)

This study would be extremely valuable if they had submitted BZilla bugs for each and every defect they encountered. It's hard to tell from the article whether they did or not. One thing that I have learned from running ~arch in Gentoo is that if you don't submit bugs, things aren't going to get fixed.

BBH

Re:So they submitted Bugs, Right? (4, Funny)

Too many errors, bai (815931) | more than 8 years ago | (#14850780)

If these packages are used within the government, the security holes discovered are probably kept secret. National security and all that.

Re:So they submitted Bugs, Right? (1, Flamebait)

rs79 (71822) | more than 8 years ago | (#14850817)

I hope they looked at DJBDNS and QMAIL.

All software should be that good.

If they found bugs in Bind, I'm not iterested in the rest of the report. That's just pork.

Re:So they submitted Bugs, Right? (0)

Anonymous Coward | more than 8 years ago | (#14851319)

They might be good but how is that relevant? DJBDNS and QMAIL aren't open source.

RTFA (3, Interesting)

Night Goat (18437) | more than 8 years ago | (#14850882)

From the article, which I'm SURE you read:

Coverity evaluated 15m lines of open source code with Stamford University's Computer Science Department. The report has identified bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes. Coverity said it would now engage with open source developers to improve code, and identify potential reasons for why some projects have more bugs than others.

Yes, the folks who ran the tests plan to submit their findings to the developers to help squash bugs.

Re:RTFA (0)

Anonymous Coward | more than 8 years ago | (#14850992)

Why did they wait? No, really. Why have they waited until after releasing this report? Are they concerned the bugs might have been fixed too fast, thus making their attempt to paint OSS in a negative light that much less effective? Are they concerned that OSS developers might be able to defend their code in real-time if those developers had actual access to the specifics (rather than the generalities) of the report? No, really. Why did they wait?

Re:RTFA (0)

Anonymous Coward | more than 8 years ago | (#14851069)

Only a fool responds to AC posts, so paint me stupid. When you asks questions like that, your youth and inexperience become so apparent. Most formal testing/review strategies will not "feed back" into the source of reviewed item until a preliminary or final report is produced. In a formal code walk-through, you don't have somebody jump up and leave the table as soon as the first bug is discovered; rather, you wait until the entire unit or module is reviewed. It's simply more efficient that way. Medical trials are conducted with a portion of a test group taking an "experimental" drug or treatment and only in the most critical of health care situations are patients recommended for treatment, typically they're followed for 1-5 years after the trial is over to see if there were differences. The same is true in most manufacturing processes. A manufacturer doesn't go back and alert everyone, who's previously purchased a product, about problems discovered later on (unless the problem is seriously life-threatening).

Re:RTFA (1)

justthinkit (954982) | more than 8 years ago | (#14851081)

Why did they wait? No, really. Why have they waited until after releasing this report? Are they concerned the bugs might have been fixed too fast, thus making their attempt to paint OSS in a negative light that much less effective?

I dislike bugs as much as the next coder and always try to fix them as soon as possible. However the govt. was supposedly trying to measure something and if they had told the OSS coders what they were up to it would have distorted the results.

Re:RTFA (1)

BigBuckHunter (722855) | more than 8 years ago | (#14851062)

I'm not sure what "engage with open source developers" means... Not just because they used the word "with", which was unnecessary and hard for me to parse. It doesn't necessarily mean that they're itemizing and reporting the defects. It may be some foo-foo conference where they review coding practices and plug some form of SDLC CM/EM/UAT crap. I hope that is not the case, and that we actually get something constructive of ot this. Most of us have been though ISO/Six Sigma/Sas70 audits before and seen nothing worthwhile come of it.

BBH

Yes. (2, Informative)

Anonymous Coward | more than 8 years ago | (#14851487)

I'm involved in one of the F/OSS projects that Coverity analyzed; and yes, they were co-operative with the dev team in sharing their insights.

Re:So they submitted Bugs, Right? (1)

legirons (809082) | more than 8 years ago | (#14851704)

"This study would be extremely valuable if they had submitted BZilla bugs for each and every defect they encountered."

The article seems to suggest that the authors want to help with processes, rather than individual bugs.

That seems like a much better long-term idea, especially if (and this seems likely) they analysed a sample of code.

If someone analyses 1000 lines of code from a 100000 line project, then they'll have a fairly good idea of what processes (e.g. audits, code reviews, patterns) can help the team, whereas simply reporting the bugs they found would mean that 99% of the total bugs would remain undiscovered until someone conducted an equally thorough analysis of the rest of the code.

Fan of Linux, not of Homeland Security (3, Informative)

toddbu (748790) | more than 8 years ago | (#14850712)

I feel very conflicted by this report. On the one hand, I'm happy to see a report that favors open source. On the other hand, in the wake of the Katrina political fallout, it's difficult to say whether this report helps or hurts. The last thing LAMP needs right now is to get caught up in Brown/Chertoff/GWB affair. The only thing worse would be to have the UAE issue a similar report. :-)

Re:Fan of Linux, not of Homeland Security (1)

g2devi (898503) | more than 8 years ago | (#14850811)

I don't see a reason to feel conflicted, unless you believe that some people/companies/institutions are pure evil 100% of the time or pure good 100% of the time. The world is a bit more nuanced than that.

I'm sure if you looked at the lives of Stalin, Attilla the Hun, Saddam Hussein, and other despicable people you'd find that as bad as they were, they did *some* good. The opposite is true for Pope John Paul II, Ganhdi, and JFK.

My own philosophy is to praise people/companies/institutions when they're good (no matter how bad they are normally) and condemn people/companies/institutions when they're bad (no matter how good they are normally).

They've done a good job here and that's good enough for me.

Re:Fan of Linux, not of Homeland Security (1)

Daniel Dvorkin (106857) | more than 8 years ago | (#14850888)

I think it's a matter of perception rather than a strict good-vs.-evil accounting. If your work is praised by a source widely considered to be incompetent and/or corrupt, then people will perceive your work as worse, not better, regardless of its actual merits -- or, for that matter, how justified the praise itself may be.

Re:Fan of Linux, not of Homeland Security (1)

HiThere (15173) | more than 8 years ago | (#14851019)

But when you are judging an action that is proposed to happen at sometime in the future, you are always operating with incomplete information, and information that is biased in the favor of whoever released the information. In such cases the course of wisdom is to examine the proposal in the light of your best guess of what the motives are, based on past actions of the agencies involved.

If someone has proven untrustworthy in the past, it's not wise to trust their promise about what they're going to do...but you may consider it plausible if it does appear to be of great benefit to them. (With some, even in such a case you consider the parable of the frog and the scorpion, and take what appear to be suitable precautions.)

Re:Fan of Linux, not of Homeland Security (1)

SnowZero (92219) | more than 8 years ago | (#14851465)

My own philosophy is to praise people/companies/institutions when they're good (no matter how bad they are normally) and condemn people/companies/institutions when they're bad (no matter how good they are normally).

You must be new here.

Re:Fan of Linux, not of Homeland Security (1)

NoTheory (580275) | more than 8 years ago | (#14850824)

That's a really ridiculous thing to say. The US government is supposed to be set up as a meritocracy. The idea is that there are career beaurocrats who sit in their jobs all of their life, independent of who in power. The branches of government like the GAO, NASA, the President's Office of Management and Budget are all known for this. Not everything that goes on in washington has to do with politics.

And frankly, i find it pretty weird to think that an operating system or software development movement could somehow become identified with a presidency.

Re:Fan of Linux, not of Homeland Security (3, Interesting)

toddbu (748790) | more than 8 years ago | (#14850892)

The branches of government like the GAO, NASA, the President's Office of Management and Budget are all known for this. Not everything that goes on in washington has to do with politics.

You can't really be that naive, can you? Take the OMB for example. There's a big debate [ombwatch.org] going on about whether OMB should use static scoring or dynamic scoring. It doesn't really matter which one you prefer, but I can tell you that in the current political climate it makes a *huge* difference. Democrats prefer static modeling because then they can argue against tax cuts. Republicans favor dynamic modeling to support a "trickle down" effect. But the idea that somehow OMB is neutral is ignoring reality. Even if they don't intend to favor one party or another, the fact is that there is no action that they can take that won't benefit one group or another.

Interesting that you should mention NASA. Their very existence depends on the support of the aerospace community and the regions of the country that benefit from NASA centers. They are very good at using their influence to get what they want. Even if you could claim that they don't favor one political party over another, they are still very skilled at using political influence to their advantage.

Re:Fan of Linux, not of Homeland Security (1)

mcc (14761) | more than 8 years ago | (#14850827)

The only thing worse would be to have the UAE issue a similar report. :-)

Oh no too late :O [linux.de]

Re:Fan of Linux, not of Homeland Security (2, Insightful)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14850853)

There is no relationship between this study and Katrina. The disaster people work in a different office, down the hall. Would you like me to transfer you? Hold on....

Re:Fan of Linux, not of Homeland Security (1)

toddbu (748790) | more than 8 years ago | (#14850917)

Hold on....

I've been waiting several minutes now and have yet to be connected. Could you look into this for me? Also, I might suggest that you update your music-on-hold. I can only listen to "Rhinestone Cowboy [geocities.com] " just so many times.

Re:Fan of Linux, not of Homeland Security (1)

Lehk228 (705449) | more than 8 years ago | (#14851171)

was there any point to your post other than attempting to incite a flame war?

Re:Fan of Linux, not of Homeland Security (1)

toddbu (748790) | more than 8 years ago | (#14851309)

Why would you think I was trying to incite a flame war? Because I noted that there is a current political firestorm over Homeland Security and the UAE? The whole point of my post is that it's easy for good data to get lost in political debate. I think your post proves my point.

Their findings are as follows (4, Funny)

Mancat (831487) | more than 8 years ago | (#14850713)

Open-source software is a serious threat to this country. These terrorist schemes, or "development projects," as the terrorists refer to them, are designed to rot away the core values of our great nation that we hold so dearly. One in particular, known as "Linux," is especially suspect. It is "developed" by terrorists worldwide, many of which are communists, and many of which do not even support our great commander in chief! It is apalling! How can we trust the security of our nation to these rogue "developers?" Surely they may have hidden devices in their programs, hidden in elaborate matrices of computer programming, that when activated by the terrorists, will disable the software and send them all of our secret data! It can only be expected.

The terrorists are cunning, they are secretive, and they will destroy us if they have their way. This world-wide "open source" terrorist movement must be deconstructed and eliminated. There is no other way to protect our Great Nation! We say to you, as the purveyors of truth and all that is good, avoid this "open source" and its proponents like the plague! They wish to destroy everything we hold dear. You, my good American, are the first line of defense. Report users of "open source" to the authorities. Gather any information on them that you can. You may even consider running their dastardly "software packages" in your own free time, so that you may come to know your enemy - for knowledge is the greatest tool that we have in this fight.

Stand proud, my fellow Americans, and beware this new emerging beast. It will surely be the end of us all if we do not take action now.

Quoted from President George W. Bush's State of the Nation Address, January 2007.

Re:Their findings are as follows (0)

Anonymous Coward | more than 8 years ago | (#14850727)

Is that you Dick?

Re:Their findings are as follows (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14850762)

I just love how fucktard Linux users act like everyone is constantly putting them down and that's the only reason they can't get anywhere. The fact is that Linux sucks and it's not being adopted because it sucks.

Fucking political spin bullshit. Did you ever stop to think that if you put as much effort into improving the Linux thing as you do into blindly bashing others that you just may make some progress?

No, that's right, I forgot... This is slashdot, where a bunch of armchair engineers and know it alls who always think they can see bullshit from a mile away... Too bad you faggots are too afraid to leave your mothers basements and do something for real.

It's great to see you assholes cut on anyone who attempts anything like you'd somehow "know better", as if you were the last stronghold of knowledge on the face of the fucking planet.

You know why you bitches sit around here and complain? Cos you ain't got the balls to do anything. You've never accomplished jack shit and you sit around feeling all good about yourself for being able to quote some bullshit from wikipedia.

Go fuck yourselves, hard

This place smells like shit from the number of fucking assholes who have ruined it by thinking that only they have the keys to the universe. And fucking commander dildo is no better for being nothing but a fudge packing leftist who has brought slashdot down from someplace I could read about good articles elsewhere to a fucking liberal limp wristed rant page. Fuck this place and fuck it's sponsors. I will not do business with businesses that advertise on fagdot.

The only thing left that's good around here is the trolls because they're god damn more insightful than most of the fucktards who get mod points for sucking on commander dildos dick by pandering to his leftist shit.

I hope this shit place goes under. Digg is about 50 times better since it doesn't rest on the goodwill of bully "administrators" to decide what's worth reading and what's not. commander dildo already knows this.

Cunts.

Digg Troll? (1)

Mancat (831487) | more than 8 years ago | (#14850772)

I'm glad to see that one of the first Digg Trolls chose to reply to my post. Have a good one buddy!

Re:Digg Troll? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14850806)

Ha! You fucking can't even answer to the truth! Get your mind off of pondering what thinkgeek t-shirt you think is cool and fucking do something. Otherwise you're just a cunt and yes, YOU ARE JUST A CUNT

Slashdot fucking sucks. The quality of stories and comments in in decline as are the numbers! Hopefully this turd falls off the planet along with the infamous cunt Mancat.

Tell you what, fag, keep sucking on commander dildos dick and maybe when you get out of jr high you'll be ready for the real world. so for now go back to watching the transformers and taking it up the ass from high school jocks and someday you might wake up.

You probably don't even own your own fucking machine. It's probably your dads. fucking cunt.

Re:Digg Troll? (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14851184)

"Otherwise you're just a cunt and yes, YOU ARE JUST A CUNT"

"along with the infamous cunt Mancat"

from hyperdictionary: "cunt:[n] obscene terms for female genitals".

From the tone of your puerile rant, I presume you are male, around 15..

You don't like cunts? There are a great many colourful words in the english language to describe men who don't like female genitals.. Maybe choose your insults a little more carefully?

Re:Their findings are as follows (0)

Anonymous Coward | more than 8 years ago | (#14850940)

Yes, BSD, Linux, Debian and Mandrake are all versions of an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War. It is based on a program called "xenix", which was written by Microsoft for the US government. These programs are used by hackers to break into other people's computer systems to steal credit card numbers. They may also be used to break into people's stereos to steal their music, using the "mp3" program. Torovoltos is a notorious hacker, responsible for writing many hacker programs, such as "telnet", which is used by hackers to connect to machines on the internet without using a telephone.

http://www.adequacy.org/stories/2001.12.2.42056.21 47.html [adequacy.org]

Re:MOD PARENT DOWN (0)

Anonymous Coward | more than 8 years ago | (#14851482)

How stupid do people have to be to mod this kind of a posting as funny? The OSS fanatics must have way too many points to spare. To quote another president, "I did not have sex with OSS".

Where's the report? (4, Insightful)

boa13 (548222) | more than 8 years ago | (#14850725)

One would expect that being about open-source and all, and with a purpose of helping open-source developers improve the quality of their code, they would publish the report on a governement website somewhere. C'mon, where's the link?

Re:Where's the report? (1)

DogDude (805747) | more than 8 years ago | (#14851067)

Unfortunately, The Register's journalistic quality (and integrity) is on par with Slashdot's.

stanford will keep the database public... (5, Informative)

hihihihi (940800) | more than 8 years ago | (#14850733)

the report have a better coverage on this page: http://www.eweek.com/article2/0,1895,1909946,00.as p [eweek.com]

from this TFA:
"Anti-virus vendor Symantec Corp. is providing guidance as to where security gaps might be in certain open-source projects."

PS:i am not sure if it has been published on /. or not

Re:stanford will keep the database public... (1)

HiThere (15173) | more than 8 years ago | (#14851006)

Well, it *sounds* good ... but Homeland Security? Symantec? I think I'll reserve judgement for awhile. And Stanford has also got a mixed reputation WRT openness. Before I even trusted their intentions I'd want to go over the contract with a lawyer. Sometimes they're good guys, and other times...well, lets just say that I'd like to reserve judgement.

Meaningless categorization (4, Insightful)

sreekotay (955693) | more than 8 years ago | (#14850735)

I've always thought it VERY odd to think about "Open Source" as a thing.

It'd be like saying: We studied the quality of software compiled with the Watcom 10.0 C++ compiler. "Open source" cuts across so many levels of skill and projects. You can pretty find projects that support (or destroy) whatever thesis you'd like to put forward

Even more, somebody pays for the development of the software, one way or another.

This artlice (from ONLamp) http://www.onlamp.com/pub/a/onlamp/2005/07/21/soft ware_pricing.html [onlamp.com] really puts into better perspective. Basically, it says ALL software can be deconstructed to being about the service (at least so long as the technology curve continues, in practice, to limit its lifespan).

--
graphicallyspeaking [kotay.com]

Re:Meaningless categorization (2, Insightful)

Night Goat (18437) | more than 8 years ago | (#14850910)

It's a lot more difficult to study the bugs in closed source code and get a bugs per thousand lines of code metric out of it. That is probably why they're doing the testing on OSS.

No... Could it be..? (0)

Anonymous Coward | more than 8 years ago | (#14850746)

Could it be that something good came from the US Department of Homeland Security?

The US Gov't made that too generalized... (0)

Anonymous Coward | more than 8 years ago | (#14850749)

I don't think there is any question. Open and closed source will both be around for the forseeable future.

To what extent is a different matter...

As long as there are people (and this would be the vast majority today) who care less about what license their software has than how well it does the job, then there will always be a market for closed-source software. On the condition that it is better than the available OSS solutions.

I think OSS will play this kind of role in the future, providing everybody with a basic set of software, and upping the ante for the quality of commercial software.

Commercial software on the other hand, will increasingly be for those who need and are willing to pay for the improved quality it offers (and will per definition be forced to offer in order to exist).

money? (-1, Flamebait)

daveddd (958915) | more than 8 years ago | (#14850758)

I wonder how many millions of dollars this study cost to study "free" software?

Re:money? (1)

HazE_nMe (793041) | more than 8 years ago | (#14850778)

as part of a $1.24m, three-year DHS Science and Technology Directorate effort

Damn you didn't even read the f**kin summary!

Re:money? OSS not free, but important! (0)

Anonymous Coward | more than 8 years ago | (#14851115)

Get a clue. Do you really think OSS is free? I've been a programmer long enough to know that many OSS programmers do a lot of their work while on someone else's nickle. Meaning, myself and others, often spend an hour or more a day working on coding or reviewing OSS while we're at our day job. My boss never knows, to him software is software. Doing some math, averaging only 1.5 hours a day on OSS x 250 work days/year gives 375 hours (roughly 10 weeks) per year the bossman is getting screwed out of work for his company. At $20/hour (not counting cost of benefits), that's $7,500/year. And that's just one person who isn't totally obsessed with OSS! Don't try to fool people, OSS is not "free", but it is crtical. Sort of like everyone doing their part to bring along this technology. Besides, working on OSS makes me a better programmer.

Re:money? (4, Insightful)

BeanThere (28381) | more than 8 years ago | (#14851159)

And I wonder how many more millions they can now save by using OSS, now that they know they can be more confident in its quality? Have you ever heard of the word "investment"?

There's something missing (1, Redundant)

Captain Lou (904174) | more than 8 years ago | (#14850779)

"...has effectively given the Linux, Apache, MySQL and Perl/PHP/Python (LAMP) stack a healthy rating. LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines." What would be interesting to know is how they determined a baseline of .32 defects per 1000 lines of code as their baseline, and how so called commerical products, like Oracle, Windows, MSSQL, etc. fared against the same baseline.

thats really the question isn't it? is Open Source more or less secure than any of the closed systems?

Compare with... (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14850813)

...New Zealand's recent analysis of open source [e.govt.nz] , which focuses on legal issues.

OSS Security depends on people admitting a bug (0, Flamebait)

Wayne_Knight (958917) | more than 8 years ago | (#14850830)

The honest answer is free software is NOT always the best solution for every problem, especially when it comes to security. I know that people are going to flame me but sometimes the best current solution is a closed source program.

CAD is a good example. I have heard a lot of good things about a new open source CAD program but what if you have a lot of vendors that use Solidworks or Autodesk?

Office is another good example. Many local and state governments have tried Applix or Star Office (now OpenOffice) for a few years. The day that they got rid of it and went to Office 2003 the county workers were more productive than ever. They had a terrible time with sending files to and getting files in Office format. I tried to convince them that it would improve and that they shouldn't sign away their life, but they needed something that would just work. For them, Windows XP and Office 2003 just worked.

If you look at a lot of the government studies of who uses and gets the most benefit out of open source it tends to fall into two categories:
  1. REALLY BIG TECH COMPANIES. They have their own support and development staff and can contribute back to open source projects.
  2. Really tiny startups with a good techie or two. They are not big enough for the big vendors to care about. So the support they get for much of the open source tools is as good, or better than, what they get from big closed source vendors.
In the middle you have a lot of medium companies that really don't want to manage software developers or handle support in house. I am all for open source but their are a lot of issues yet to be solved.
  1. Education. I can not take a course on Linux at my local Community College. I can get my MSCE or Cisco cert there.
  2. Support. I can make Linux work for me and my company but not every company can. Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up? I will not even go into the poor state of some documentation for open source programs.
  3. Teaching. If you are going to send people out in to the real world as system administrators and/or programmers, they will have a better chance to find a job if they know Windows and Linux. Heck, they should know as many different systems like Z/OS and OS/400!
In conclusion, open source security depends on people admitting that bugs exist. If they act all high-and-mighty, nothing happens and it's just as bad as whatever software product is out there nowadays that people just love to hate.

Re:OSS Security depends on bugs being fixed (3, Insightful)

J. Random Luser (824671) | more than 8 years ago | (#14850979)

Support. I can make Linux work for me and my company but not every company can. Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up? I will not even go into the poor state of some documentation for open source programs.

Reminds me of when as a noob, I reported an error in a man page to a project mailing list, hoping somebody close to the project might pick it up and fix it. Nah, the response was: OK, write yourself a new man page.

That attitude still pervades most OSS projects. The result is open source is regarded as by geeks for geeks, and IMHO this, more than any perceived security risks, will keep it off the desktop for a long time yet. Sure, I see quite a few specialist applications coming thru now packaged for MacOS-X. Here's an example (names obscured to protect the ignorant): a multimedia application, gui built on GTK, equal to commercial products of several hundred dollars, well worthy of the suggested paypal donation. But it requires access to the Hardware Abstraction Layer, which is provided by a different oss project, whose raw binaries will do what's needed from the command line, but no gui interface yet, unless you build it, in Qt.

Security problems in OSS are multiplied by forking, and geekishness for its own sake.

Re:OSS Security depends on people admitting a bug (2, Insightful)

JulesLt (909417) | more than 8 years ago | (#14851012)

It's that good old 'total cost of ownership' - for the two categories you identified the answer is 'lower', but for many people lacking in IT skills it is a more complex calculation - especially in places where their IT support is already contracted out. O/S actually needs to come in and compete in these environments, rather than expecting them to become IT literate.

Advocates need to consider the many places in their lives where they purchase things rather than make or maintain them themselves - for many people without interest in technology, software is in that category - we live in a society where people pay a premium for ready-made meals, despite the repeated message they could save money by making their own.

Re:OSS Security depends on people admitting a bug (3, Insightful)

killjoe (766577) | more than 8 years ago | (#14851057)

Well the expected FUD mobile shows up again.

I especially love the "Windows XP and office 2003 just worked" line. That's a rich one. Anybody who has actually worked with those technologies knows how much effort it takes to make them "just work".

I do think you have point about the incompatibilities of the office formats with other software. It's a well known fact that MS products use office formats to undermine other software. I think that people are finally wising up to this and pushing for ODF. Even MS has tried to make the default office format XML based so I think this problem will go away very soon.

What's interesting to me is how different office 12 looks from office 2003 (who the fuck came up with that versioning scheme?). It will be much easier to re-train employees from office 2003 to open office (which looks very similar) then to retrain employees to migrate from 2003 to 12. Office 12 looks and acts radically different then what people are used to.

Re:OSS Security depends on people admitting a bug (1)

alx.slashdot (630590) | more than 8 years ago | (#14851182)

Anybody who has actually worked with those technologies knows how much effort it takes to make them "just work".
Actually, if you're not the one spending the effort, there's no way to tell. For the average corporate user, the above is true because they've no idea how much effort took the IT stuff to make it work. From their point of view, it just works.

Re:OSS Security depends on people admitting a bug (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14851552)

Open office is barely usable garbage, until you spend an hour trying to figure out WHAT THE FUCK is going on with your page, and why it's auto mangling everything you type, EVERYTHING. Finding which options in that garbled mess of options is absurd.

Re:OSS Security depends on people admitting a bug (0)

burnin1965 (535071) | more than 8 years ago | (#14851142)

"I know that people are going to flame me"

Sometimes posts are deserving of the flames they attract.

"free software is NOT always the best solution for every problem, especially when it comes to security" ... ramble ramble ramble ... "open source security depends on people admitting that bugs exist. If they act all high-and-mighty, nothing happens and it's just as bad as whatever software product is out there nowadays that people just love to hate"

The start and end of your rant suggested you had some issue with security in open source software, yet you failed to mention a single point in the entire rant about security in open source software. There is some validity to some of your statements by themselves, but not one of them had any relevance to security.

While I'll admit that I have a low opinion of various closed source vendors there are many valid reasons for prefering open source software to closed source other than "people just love to hate".

My top reasons for using open source software:
1) The best licensing available as an end user.
2) By far the most secure solutions available.
3) Unbeatable cost of ownership.
4) Unmatched flexibility in hardware support, feature set, and resource footprint.
5) And my favorite, it just works, unlike many of the closed source offerings which have claims of just working and great interoperability, they usually turn out to have bizarre and unpredictable reliability issues and tend to have good interoperability as long as your interoperating with the same vendors software and the same revision level.

burnin

Re:OSS Security depends on people admitting a bug (0)

Anonymous Coward | more than 8 years ago | (#14851162)

especially when it comes to security

-----------------

you then went on to mention issues about compatibility with exiting infrastructure w/o even mentioning a security issue.

you go straight back to high school writing class, do not pass go.

Re:OSS Security depends on people admitting a bug (1)

BeanThere (28381) | more than 8 years ago | (#14851167)

How much do you get paid for an 'astroturf' post like that? (You're not very good at it though ... the whole formulaic "pretend to be an OSS advocate" to score mod points, it's like you pulled it from a marketing 101 textbook.)

Re:OSS Security depends on people admitting a bug (1)

the_bard17 (626642) | more than 8 years ago | (#14851671)

...Where is the Linux Geek Squad? Yea all those scan-disk, defrag, run adaware and scan for virus "techies" give me the creeps but they seem to fill a need. Where can the mythical grandmother go to get a DVD installed in her Linux box or find out how to fix Thunderbird if the mail folder blows up?...

Actually, there are (more than) a few of us in that Geek Squad who would be perfectly happy providing Linux support. It'll probably never happen... it's great that there are those of us who are technically literate enough to be comfortable working with Linux, but I can't see a nationwide company providing Linux support piecemeal. I'd rather expect them to expect each and every tech they've got working for them to be competent in Linux... which ain't gonna happen. Why? I wouldn't want to be put in charge of bringing all these "scan-disk, defrag, run adaware and scan for virus 'techies'" up to speed in Linux. Can't imagine giving the order, too, or explaining to your shareholders why you're spending such a massive amount of money training tech's on a operating system with such a small marketshare (in residential homes, at least).

What's good for the goose.. (1, Interesting)

wfberg (24378) | more than 8 years ago | (#14850837)

is good for the gander?

I wonder what "bugs that can corrupt a machine's memory space, memory leaks, buffer overruns and crashes" have been uncovered by looking at the source code of closed source softw... oh. wait. no source. heh.

This might well mean that open source software will, at some point in the future, be considered more secure and well-written than comparable commercial closed source software even by government or PHBs.

You have to wonder about the difference in "errors per thousand lines of codes" metric though. Does one project use
int a;
a = 5;
and the other
int a=5;
?

Re:What's good for the goose.. (1)

jofi (908156) | more than 8 years ago | (#14850879)

A government should have no problem getting the source code from Microsoft, and certainly isn't by means of the government forcing anyone.

Open Source Software: Opportunities and Challenges (5, Informative)

Old Duck (957936) | more than 8 years ago | (#14850898)

An interesting study was done by the U.S. Military (the Airforce, I believe) concerning Open Source and it's place in the department of defense, though it is written in such a way to be useful to non-military personnel and applications. It is a similar, yet IMHO, a more interesting read than the parent.

The report can be found as a PDF at [af.mil] http://www.stsc.hill.af.mil/crosstalk/2005/01/0501 Tuma.pdf [af.mil]

Re:Open Source Software: Opportunities and Challen (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14850972)

Upon reading the PDF it struck me that if an organisation like the military wanted to use OSS in a more secure fashion, then the use of closed locked down binaries of the code like a default Linux secure network setup is the best option. The problems arise when the individual nodes can be modified willy nilly by malicious code. If you do not include a compiler on the nodes and make sure that binaries cannot be installed by users then you have a blueprint for bullit proof security. Given that the code that is originally compiled into the secure binaries is all visable, it would seem dangerous for the military to use closed source binaries like windows software and remote access sys-admin.

What is normal? (2, Insightful)

CAPSLOCK2000 (27149) | more than 8 years ago | (#14850904)

FTA:

LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity.
The average for open source projects analyzed is .42 per 1,000 lines.


Does anyone have any factual data on what is "normal" (accepting all the problems of counting lines and bugs in the first place). I've seen estimates range from 2 to a 100 per 1000 lines.

Thanks for wasting a million bucks of our money (1)

vmalloc_ (516438) | more than 8 years ago | (#14850925)

Next time give that money back to us and write "USE OPENBSD" on your report. Better yet, just give them the money, and they'll actually do security stuff with it.

only europe can fix america. (0)

Anonymous Coward | more than 8 years ago | (#14850947)

I'm not sure what this report is good for. The real battle is on three fronts : SCO vs. IBM, Microsoft vs. EU, and real change at the USPTO.

SCO vs. IBM. A cloud hanging over Linux. It really has to be resolved to clear the name of open source. So far so good, but it ain't over til it's over. Who is to say the Judge won't predudice herself at the last minute, getting her ruling thrown out? It's happened before, right?

Microsoft vs. EU. Looking back at the MS case in the USA...please, what kind of Judge breaks up a company, then goes on nationwide TV spewing a bunch of predudicial remarks against the defendant? He knew exactly what he was doing...giving MS another get out of jail free charge. Judgment set aside within weeks. Hopefully the EU will do a better job at enforcing America's laws.

USPTO: Without huge changes in the way software patents are dealt with, open source will die. Closed source is the only way to (somewhat) hide patent infrigement. How many officials can MS, Apple, Oracle, Sony woo? Answer : all of them.

What does the US government really think of open source? Look around you, they use it sparingly and grudingly.

If you're in the military security business, you know open source is officially categorized as "a key to operational predictability"--that is, your opponent can form strategies based on knowedge of open source software released or used by government agencies. I don't really agree with this, since knowing which closed source applications the government creates or uses can provide the same damn thing, especially to a determined adversary, with rooms full of qualified people hacking on the binaries!

Re:only europe can fix america. (1)

v1 (525388) | more than 8 years ago | (#14851317)

Closed source has the immediate advantage of obscuring your code. Hackers can't pour over your source code for mistakes or the occasional red-flag comments. ("we'll just assume xyz here, will code in a check later when we get specs.") Open source is immediately open to scruteny.

In the short term, closed source is useful because when your code first hits the network no one knows much about the internals, there are no known holes, and finding holes is difficult. Open source is open to immediate and sophisticated attack as the hackers can see the program flow and exploit visible weakenesses.

As time goes on, open source is patched to deal with the flaws. Even though the open and closed source could technically be the exact same program, the open source one benefits from the initial exploitation by rapid evlution. Being open source though, it probably started out a little behind the closed source, because it likely did not have a paid and well-organized development group working on it, so it has a little catching up to do anyway. The closed source also evolves, but only in response to internal testing and analysis, and the occasional black/white hat that finds something by poking through the binaries.

So after a few years, the initial security/stability gap between the two is eliminated. Old open source projects do tend to stagnate after a few years, so development there probably slackens. This happens at about the time you'd expect two competing projects to about equal each other.

The question then is what happens from there? I believe this is very dependent on the open and the closed projects you examine. Open source may continue active development and surpass closed source. Or it may stagnate and be passed by the paid updates released on a continual basis from the closed source.

Because of this I don't believe either model is ideal. Depending on how the cards play out, either one could be the better solution. I'd like to think that open source is the winner, but I'm sure it isn't the clear winner.

Wow (2, Funny)

ROOK*CA (703602) | more than 8 years ago | (#14851018)

Three years, $1.24 Million, and what do we got .....

The envelope please ...

"LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines."

Wow, LAMP is a pretty damn high quality stack after all....gee thanks Captain Obvious, we didn't really need those tax dollars for anything anyways. :)

This report is a GOOD thing! (0)

Anonymous Coward | more than 8 years ago | (#14851063)

I'm a contractor at DHS and have been trying to get them to use Linux in many of the systems we work on. I've given them the whole spiel about licensing, lower cost, dependability, etc of OSS solutions vs. the proprietary software. I'm hoping their own report will help convince programs within DHS to look to OSS instead of watching most of our IT budget go to software licensing.

Re:This report is a GOOD thing! (1)

ROOK*CA (703602) | more than 8 years ago | (#14851107)

Yeah of course it is, were else besides a Federal Government Agency do you have to spend almost a million and a quarter dollars just to convince the suits that the IT department knows what it's talking about?

Be Afraid. Be Very Afraid (-1, Troll)

PingXao (153057) | more than 8 years ago | (#14851072)

This is the same government that:
  • concluded there were WMD in Iraq
  • says global warming is fiction
  • said the air in NYC was fine after 911
  • is destroying NASA by wasting billions on a program that will be cancelled by the next president
Expecting these clowns to come up with a valid result is like expecting Jesus (D) Nazareth to return tomorrow in his holy tardis.

Some corporation and their lobbyists are behind this study - probably Microsoft - and the result is already bought and paid for.

Mod parent up (0)

Anonymous Coward | more than 8 years ago | (#14851230)

It's not a troll if a mod has a political bias that conflicts with the post. If you can disprove something factual in the post, then mod it troll. But don't just mod things down for political persuasion.

superb! (4, Funny)

macsox (236590) | more than 8 years ago | (#14851112)

if there is one group of people i trust to be able to accurately identify a quality product, it's the government.

.32 out of 1,000 lines of code? (1)

XB-70 (812342) | more than 8 years ago | (#14851165)

Hmmmmm, wonder what Vista would look like under that scrutiny?...
Hmmmmmm.... Hey, I have a thought: if Microsoft does as it says and allows the Gov't to view it's code (without releasing it), should not this standard of examination be applied to Microsoft's software too so that we could have a better idea of just what level of quality we can expect from the private sector?

Re:.32 out of 1,000 lines of code? (1)

obarel (670863) | more than 8 years ago | (#14851359)

If Vista has 40,000,000 lines of code and 10,000 bugs were found (that's 50 fixes in each Windows Update, every week, for four years), they'd still be better than 0.32 defects per 1000 LOC.

I've no idea how many lines there are in Vista (or, for that matter, how you count them), but the rumours say that Windows XP is about 40M LOC.

Same Old Math Error (2, Interesting)

oldCoder (172195) | more than 8 years ago | (#14851199)

These guys just can't think straight:
LAMP "showed significantly better software quality" above the report's baseline with an average of .32 defects per 1,000 lines of code, according to Coverity. The average for open source projects analyzed is .42 per 1,000 lines.
So if LAMP open-source is simply more verbose than other kinds of open source, the number of bugs per line of code can go down? How about just adding a million lines of bug-free but totally bogus code to your project -- and completely winning the race of "Defects per 1,000 lines of code"?

If I remember correctly Coverity has been discussed on slashdot previously and they used the same diseased statistical thinking back then, too.

Re:Same Old Math Error (1)

Jayr (319806) | more than 8 years ago | (#14851797)

Well, I suppose that would work. But such padding would show up pretty obviously in the analysis, don't you think? I doubt many projects optimize for defects/kloc by adding worthless code instead of just writing better code.

A measure has to be made here, and although defects/kloc can be gamed, it's pretty obvious when such gaming has occurred.

hypocrisy (1)

ricoder (414205) | more than 8 years ago | (#14851620)

Well, at least it can be seen that there is overwhelming bias at slashdot. Not that I care, since I still read the news here.

If any MS (or should I say M$) product were to have been put in an article like that, the mobs would have screamed for Gates's head. However, since it is the all-powerful-silver-bullet-snake-oil open source, all I see are excuse makers and doubters. If anyone is to even take themselves seriously, they must be at least OPEN to the idea that something they believe in is not perfect, and possible quite flawed.

Its one thing to sit in an ivory tower, or garage, and pontificate on the utopian ideals of open source and free love without concern of ramification. It is a completely different thing to be tasked with the welfare of a nation and its people and just HOPE that the software is safe and will work as promised. I can appreciate the Linux/OpenSource/FreeLove ideals of slashdot and its readership, but there is a point when a person has to put personal bias asside and consider that there are greater things at risk than personl pride and being 1337.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>