 | |
|
Technology news and Jobs 
The Linux distillery Is Open Source software safe and secure?
The Linux distillery Is Open Source software safe and secure? | Is Open Source software safe and secure? |
|
| by David M Williams | |
| Thursday, 22 May 2008 | |
|
Page 2 of 4 Coverity identified that over 8,500 bugs have been repaired within the two year period they covered. Yet, the developers aren’t simply fixing what’s broken; they’re genuinely getting better too. The density of program faults to lines of code has dropped by 16% in this same time meaning that while, of course, totally bug-free software is not being released, the number of problems are becoming more sparse.Coverity do make available to the public, however, a measure of how rapidly the tracked open source projects respond to resolving flaws. They divided the projects into three rungs numbered 0 to 2. Projects on rung 2 were considered to have exceptionally low defect density. The development teams responsible can be lauded for writing highly clean code. When software faults have been revealed, the developers have responded swiftly to issue patches. Each of the projects on rung 2 happen to have over 50,000 lines of code and are thus all quite substantial works of code. Here they are, and you’ll definitely recognise a few: Amanda courier-maildir curl libvorbis NTP OpenPAM OpenVPN Overdose Perl PHP Postfix Python Samba TCL vim This research should rightly be used to inspire confidence in each of the products listed. Those building web sites in PHP, for instance, can be assured their language of choice is not exposing either their users or themselves to any significant risk of exploit. This is also true for those implementing heterogeneous network infrastructures using Samba. In fact, Samba’s team fixed over 75% of the problems found by Scan within two reviews of the Scan analysis; ie three out of four problems were fixed within two iterations of the code analysis. Amanda’s team fixed over 40% of problems within one review. In case you’re interested Amanda is a network backup system which can back up a large number of UNIX/Linux workstations to a single backup server. Projects at rung 1 were less responsive; defects uncovered by Coverity still existed during later scans – or, I should add, have not had a sufficient number of Coverity scans performed to ascertain responsiveness. However, progress to rung 2 is only possible by achieving a reasonably low defect count; any open source project remaining on rung 1 over time is not being noted for rapid response. Projects at this rung include apache-httpd, emacs, firefox, FreeBSD, gcc, glibc, GNOME, KDE, the Linux kernel 2.6, Mono, NetBSD, PostgreSQL, snort, tcpdump, Wine and X-Windows (X.org) among others. CONTINUED |
| < Next story in category | Previous story in the category > |
|---|
