Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Open-source bug hunt results posted

Reply
Thread Tools

Open-source bug hunt results posted

 
 
Imhotep
Guest
Posts: n/a
 
      03-11-2006
"Coverity Inc. of San Francisco has released the results of a Homeland
Security Department-funded bug hunt that ranged across 40 popular
open-source programs. The company found less than one-half of one bug per
thousand lines of code on average, and found even fewer defects in the most
widely used code, such as the Linux kernel and the Apache Web server."

http://www.gcn.com/online/vol1_no1/40053-1.html
 
Reply With Quote
 
 
 
 
Dave (from the UK)
Guest
Posts: n/a
 
      03-11-2006
Imhotep wrote:
> "Coverity Inc. of San Francisco has released the results of a Homeland
> Security Department-funded bug hunt that ranged across 40 popular
> open-source programs. The company found less than one-half of one bug per
> thousand lines of code on average, and found even fewer defects in the most
> widely used code, such as the Linux kernel and the Apache Web server."
>
> http://www.gcn.com/online/vol1_no1/40053-1.html


I tried to get a free trail, but it says my email address
http://www.velocityreviews.com/forums/(E-Mail Removed) is invalid. So I picked another
shorter address, but that is supposidly invalid too.

So lets home their programming skills are better than those of their web
designers.

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.
 
Reply With Quote
 
 
 
 
ynotssor
Guest
Posts: n/a
 
      03-11-2006
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)

> "Coverity Inc. of San Francisco has released the results of a Homeland
> Security Department-funded bug hunt that ranged across 40 popular
> open-source programs. The company found less than one-half of one bug
> per thousand lines of code on average, and found even fewer defects
> in the most widely used code, such as the Linux kernel and the Apache
> Web server."


"The cleanest program was XMMS, a Unix-based multimedia application. It had
only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines
of code. "

Hmmm, one has to question the entire validity of a study that presents an
order of magnitude error in that summary calculation alone ...

 
Reply With Quote
 
ynotssor
Guest
Posts: n/a
 
      03-11-2006
"Imhotep" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)

> "Coverity Inc. of San Francisco has released the results of a Homeland
> Security Department-funded bug hunt that ranged across 40 popular
> open-source programs. The company found less than one-half of one bug
> per thousand lines of code on average, and found even fewer defects
> in the most widely used code, such as the Linux kernel and the Apache
> Web server."


"The cleanest program was XMMS, a Unix-based multimedia application. It had
only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines
of code. "

Hmmm, one has to question the entire validity of a study that presents an
order of magnitude error in that summary calculation alone ...
 
Reply With Quote
 
ynotssor
Guest
Posts: n/a
 
      03-11-2006
I quoted and wrote in message news:(E-Mail Removed)

>> "Coverity Inc. of San Francisco has released the results of a
>> Homeland Security Department-funded bug hunt ...

>
> "The cleanest program was XMMS, a Unix-based multimedia application.
> It had only six bugs in its 116,899 lines of code, or .51 bugs per
> thousands lines of code. "
>
> Hmmm, one has to question the entire validity of a study that
> presents an order of magnitude error in that summary calculation
> alone ...


Your tax dollars at work. The dumbing-down and fattening-up of American
society continues unabated.

 
Reply With Quote
 
Kristian Fiskerstrand
Guest
Posts: n/a
 
      03-11-2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ynotssor wrote, On 03/11/2006 08:57 PM:
> I quoted and wrote in message news:(E-Mail Removed)
>
>>> "Coverity Inc. of San Francisco has released the results of a
>>> Homeland Security Department-funded bug hunt ...

>> "The cleanest program was XMMS, a Unix-based multimedia application.
>> It had only six bugs in its 116,899 lines of code, or .51 bugs per
>> thousands lines of code. "
>>
>> Hmmm, one has to question the entire validity of a study that
>> presents an order of magnitude error in that summary calculation
>> alone ...

>
> Your tax dollars at work. The dumbing-down and fattening-up of American
> society continues unabated.
>


As far as I can see that is added by the author of the news article, not
by Coverity. http://scan.coverity.com/ show an alphabetic list of
applications.

What I would like to see though is the actual report per application,
which at the moment only seem available to the application maintainer.
They will probably appear in the respective bug tracking systems
eventually, but still, it would be nice to skim through it to see how
serious the bugs are.

- --
- ----------------------------
Kristian Fiskerstrand
http://www.kfwebs.net
- ----------------------------
http://www.secure-my-email.com
http://www.secure-my-internet.com
http://www.yourblog.in
- ----------------------------
Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3-cvs (GNU/Linux)
Comment: http://www.secure-my-email.com
Comment: http://www.secure-my-internet.com

iQIVAwUBRBM47hbgz41rC5UIAQj2BQ/6A6SSGh8EdmfJPeE0KpV1zFS+pQ3ZJ7us
AapPWMeDdy3wsahY3F5iHwA4yPx45UOQfAgQtn2xfZesy6StLO EyzIKlQ5DiZiIz
ehOqZ2uQx9RLYSH9vckOT4e3HeFtzv00wP900WefKTNaej+t4E ZF4whOZ4txE6Ji
NsKMG2Hsy4dyM37lj1EPptJxclPR22hxQpsxxX2JZss04Q/jaC8Z+hNcULjMBovB
oi1EjQrD0dewze5EM9NtGC00aAH0kw7J4QWhQ1WcrWzuqKlfSA 2T+1wzeh+iIoQJ
Jswj6RWOZiosrfNZ3L6/ErxD7g1jp8DFoCWN49K9HrjuDzMehIeQ1flk8fPlrfBg
q2FBx6mTrbHXTBTJjhGUvN1xSbg1a4LMYmkShMtzWCFD2gWMXT zbXyogT0qEc+hT
i/qBINlGqVui1pwNelzqnBj0Bjry4VbwvOL7RPV6cdwx7n8bcCS+ Se8VJiFFQq3i
//cs/rdmzX5MaAFjDITKrZYoCQBCda5cWIDYMFLJDd6+Cw8E41Aol8q cwHcHVH6p
GBcYVwqXlLCv/OjtqRJR1tE5ROU4h4booTS2i1o7kXYF19sBxp8JCSrQlUfuoLR 2
YApwKtqwTiaSHk2HY0jcp69f5kstFXybi8+HVvFwe3l+zcDtP7 pjzqUceQx9CW8c
6xnNbUS/yLM=
=hn5u
-----END PGP SIGNATURE-----
 
Reply With Quote
 
Unruh
Guest
Posts: n/a
 
      03-12-2006
"ynotssor" <(E-Mail Removed)> writes:

>"Imhotep" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)


>> "Coverity Inc. of San Francisco has released the results of a Homeland
>> Security Department-funded bug hunt that ranged across 40 popular
>> open-source programs. The company found less than one-half of one bug
>> per thousand lines of code on average, and found even fewer defects
>> in the most widely used code, such as the Linux kernel and the Apache
>> Web server."


>"The cleanest program was XMMS, a Unix-based multimedia application. It had
>only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines
>of code. "


>Hmmm, one has to question the entire validity of a study that presents an
>order of magnitude error in that summary calculation alone ...


Could of course have simply been a typo
 
Reply With Quote
 
Alun Jones
Guest
Posts: n/a
 
      03-12-2006
In article <(E-Mail Removed)>, Imhotep <(E-Mail Removed)>
wrote:
>"Coverity Inc. of San Francisco has released the results of a Homeland
>Security Department-funded bug hunt that ranged across 40 popular
>open-source programs. The company found less than one-half of one bug per
>thousand lines of code on average, and found even fewer defects in the most
>widely used code, such as the Linux kernel and the Apache Web server."


What does this have to do with Microsoft Security?

I'll note again - from a point of bugs per line, there's no such thing as
"more secure" or "less secure". There is "secure" and there is "unsecure".
One security bug renders you "unsecure", and as such it's rather doubtful
whether there really is such a thing as "secure".

As an example, let's take a program with an escalation of privilege bug, and
compare it with one that has a remote execution bug. Which one is more
secure? Mu. [Look it up in a good dictionary]

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | (E-Mail Removed).
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
 
Reply With Quote
 
S. Pidgorny
Guest
Posts: n/a
 
      03-13-2006
G'day:

"ynotssor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> Your tax dollars at work. The dumbing-down and fattening-up of American
> society continues unabated.
>


Not sure about the society as a whole, but regarding the taxpayers' money -
absolutely!


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-


 
Reply With Quote
 
Imhotep
Guest
Posts: n/a
 
      03-15-2006
Alun Jones wrote:

...contrary to popular belief. There are many Open Source "contributions" in
MS products. Where do you think your TCP/IP stack comes from (Win 2000 and
above)?

Anyway, it is just an informative article and nothing more...

Im

> In article <(E-Mail Removed)>, Imhotep
> <(E-Mail Removed)> wrote:
>>"Coverity Inc. of San Francisco has released the results of a Homeland
>>Security Department-funded bug hunt that ranged across 40 popular
>>open-source programs. The company found less than one-half of one bug per
>>thousand lines of code on average, and found even fewer defects in the
>>most widely used code, such as the Linux kernel and the Apache Web
>>server."

>
> What does this have to do with Microsoft Security?
>
> I'll note again - from a point of bugs per line, there's no such thing as
> "more secure" or "less secure". There is "secure" and there is
> "unsecure". One security bug renders you "unsecure", and as such it's
> rather doubtful whether there really is such a thing as "secure".
>
> As an example, let's take a program with an escalation of privilege bug,
> and
> compare it with one that has a remote execution bug. Which one is more
> secure? Mu. [Look it up in a good dictionary]
>
> Alun.
> ~~~~
>
> [Please don't email posters, if a Usenet response is appropriate.]


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Thread Safe bug-hunt... Bill C Programming 1 05-19-2006 09:18 PM
Point-to-Multipoint and Hunt Group jo Cisco 1 12-04-2004 09:02 AM
Number of ring before jumping to hunt group member duncan.smith Cisco 2 11-25-2004 11:03 PM
Wednesday funny: Texas Officials Wary of Plan to Hunt by Internet T-Bone MCSE 0 11-17-2004 04:27 PM
bug hunt mark | r HTML 11 05-27-2004 12:04 PM



Advertisments