Open-source bug hunt results posted

Discussion in 'Computer Security' started by Imhotep, Mar 11, 2006.

  1. Imhotep

    Imhotep Guest

    "Coverity Inc. of San Francisco has released the results of a Homeland
    Security Department-funded bug hunt that ranged across 40 popular
    open-source programs. The company found less than one-half of one bug per
    thousand lines of code on average, and found even fewer defects in the most
    widely used code, such as the Linux kernel and the Apache Web server."

    http://www.gcn.com/online/vol1_no1/40053-1.html
     
    Imhotep, Mar 11, 2006
    #1
    1. Advertising

  2. Imhotep wrote:
    > "Coverity Inc. of San Francisco has released the results of a Homeland
    > Security Department-funded bug hunt that ranged across 40 popular
    > open-source programs. The company found less than one-half of one bug per
    > thousand lines of code on average, and found even fewer defects in the most
    > widely used code, such as the Linux kernel and the Apache Web server."
    >
    > http://www.gcn.com/online/vol1_no1/40053-1.html


    I tried to get a free trail, but it says my email address
    is invalid. So I picked another
    shorter address, but that is supposidly invalid too.

    So lets home their programming skills are better than those of their web
    designers.

    --
    Dave K MCSE.

    MCSE = Minefield Consultant and Solitaire Expert.

    Please note my email address changes periodically to avoid spam.
    It is always of the form: month-year@domain. Hitting reply will work
    for a couple of months only. Later set it manually.
     
    Dave (from the UK), Mar 11, 2006
    #2
    1. Advertising

  3. Imhotep

    ynotssor Guest

    "Imhotep" <> wrote in message
    news:

    > "Coverity Inc. of San Francisco has released the results of a Homeland
    > Security Department-funded bug hunt that ranged across 40 popular
    > open-source programs. The company found less than one-half of one bug
    > per thousand lines of code on average, and found even fewer defects
    > in the most widely used code, such as the Linux kernel and the Apache
    > Web server."


    "The cleanest program was XMMS, a Unix-based multimedia application. It had
    only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines
    of code. "

    Hmmm, one has to question the entire validity of a study that presents an
    order of magnitude error in that summary calculation alone ...
     
    ynotssor, Mar 11, 2006
    #3
  4. Imhotep

    ynotssor Guest

    "Imhotep" <> wrote in message
    news:

    > "Coverity Inc. of San Francisco has released the results of a Homeland
    > Security Department-funded bug hunt that ranged across 40 popular
    > open-source programs. The company found less than one-half of one bug
    > per thousand lines of code on average, and found even fewer defects
    > in the most widely used code, such as the Linux kernel and the Apache
    > Web server."


    "The cleanest program was XMMS, a Unix-based multimedia application. It had
    only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines
    of code. "

    Hmmm, one has to question the entire validity of a study that presents an
    order of magnitude error in that summary calculation alone ...
     
    ynotssor, Mar 11, 2006
    #4
  5. Imhotep

    ynotssor Guest

    I quoted and wrote in message news:

    >> "Coverity Inc. of San Francisco has released the results of a
    >> Homeland Security Department-funded bug hunt ...

    >
    > "The cleanest program was XMMS, a Unix-based multimedia application.
    > It had only six bugs in its 116,899 lines of code, or .51 bugs per
    > thousands lines of code. "
    >
    > Hmmm, one has to question the entire validity of a study that
    > presents an order of magnitude error in that summary calculation
    > alone ...


    Your tax dollars at work. The dumbing-down and fattening-up of American
    society continues unabated.
     
    ynotssor, Mar 11, 2006
    #5
  6. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    ynotssor wrote, On 03/11/2006 08:57 PM:
    > I quoted and wrote in message news:
    >
    >>> "Coverity Inc. of San Francisco has released the results of a
    >>> Homeland Security Department-funded bug hunt ...

    >> "The cleanest program was XMMS, a Unix-based multimedia application.
    >> It had only six bugs in its 116,899 lines of code, or .51 bugs per
    >> thousands lines of code. "
    >>
    >> Hmmm, one has to question the entire validity of a study that
    >> presents an order of magnitude error in that summary calculation
    >> alone ...

    >
    > Your tax dollars at work. The dumbing-down and fattening-up of American
    > society continues unabated.
    >


    As far as I can see that is added by the author of the news article, not
    by Coverity. http://scan.coverity.com/ show an alphabetic list of
    applications.

    What I would like to see though is the actual report per application,
    which at the moment only seem available to the application maintainer.
    They will probably appear in the respective bug tracking systems
    eventually, but still, it would be nice to skim through it to see how
    serious the bugs are.

    - --
    - ----------------------------
    Kristian Fiskerstrand
    http://www.kfwebs.net
    - ----------------------------
    http://www.secure-my-email.com
    http://www.secure-my-internet.com
    http://www.yourblog.in
    - ----------------------------
    Public PGP key 0x6B0B9508 at http://www.kfwebs.net/pgp/

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3-cvs (GNU/Linux)
    Comment: http://www.secure-my-email.com
    Comment: http://www.secure-my-internet.com

    iQIVAwUBRBM47hbgz41rC5UIAQj2BQ/6A6SSGh8EdmfJPeE0KpV1zFS+pQ3ZJ7us
    AapPWMeDdy3wsahY3F5iHwA4yPx45UOQfAgQtn2xfZesy6StLOEyzIKlQ5DiZiIz
    ehOqZ2uQx9RLYSH9vckOT4e3HeFtzv00wP900WefKTNaej+t4EZF4whOZ4txE6Ji
    NsKMG2Hsy4dyM37lj1EPptJxclPR22hxQpsxxX2JZss04Q/jaC8Z+hNcULjMBovB
    oi1EjQrD0dewze5EM9NtGC00aAH0kw7J4QWhQ1WcrWzuqKlfSA2T+1wzeh+iIoQJ
    Jswj6RWOZiosrfNZ3L6/ErxD7g1jp8DFoCWN49K9HrjuDzMehIeQ1flk8fPlrfBg
    q2FBx6mTrbHXTBTJjhGUvN1xSbg1a4LMYmkShMtzWCFD2gWMXTzbXyogT0qEc+hT
    i/qBINlGqVui1pwNelzqnBj0Bjry4VbwvOL7RPV6cdwx7n8bcCS+Se8VJiFFQq3i
    //cs/rdmzX5MaAFjDITKrZYoCQBCda5cWIDYMFLJDd6+Cw8E41Aol8qcwHcHVH6p
    GBcYVwqXlLCv/OjtqRJR1tE5ROU4h4booTS2i1o7kXYF19sBxp8JCSrQlUfuoLR2
    YApwKtqwTiaSHk2HY0jcp69f5kstFXybi8+HVvFwe3l+zcDtP7pjzqUceQx9CW8c
    6xnNbUS/yLM=
    =hn5u
    -----END PGP SIGNATURE-----
     
    Kristian Fiskerstrand, Mar 11, 2006
    #6
  7. Imhotep

    Unruh Guest

    "ynotssor" <> writes:

    >"Imhotep" <> wrote in message
    >news:


    >> "Coverity Inc. of San Francisco has released the results of a Homeland
    >> Security Department-funded bug hunt that ranged across 40 popular
    >> open-source programs. The company found less than one-half of one bug
    >> per thousand lines of code on average, and found even fewer defects
    >> in the most widely used code, such as the Linux kernel and the Apache
    >> Web server."


    >"The cleanest program was XMMS, a Unix-based multimedia application. It had
    >only six bugs in its 116,899 lines of code, or .51 bugs per thousands lines
    >of code. "


    >Hmmm, one has to question the entire validity of a study that presents an
    >order of magnitude error in that summary calculation alone ...


    Could of course have simply been a typo
     
    Unruh, Mar 12, 2006
    #7
  8. Imhotep

    Alun Jones Guest

    In article <>, Imhotep <>
    wrote:
    >"Coverity Inc. of San Francisco has released the results of a Homeland
    >Security Department-funded bug hunt that ranged across 40 popular
    >open-source programs. The company found less than one-half of one bug per
    >thousand lines of code on average, and found even fewer defects in the most
    >widely used code, such as the Linux kernel and the Apache Web server."


    What does this have to do with Microsoft Security?

    I'll note again - from a point of bugs per line, there's no such thing as
    "more secure" or "less secure". There is "secure" and there is "unsecure".
    One security bug renders you "unsecure", and as such it's rather doubtful
    whether there really is such a thing as "secure".

    As an example, let's take a program with an escalation of privilege bug, and
    compare it with one that has a remote execution bug. Which one is more
    secure? Mu. [Look it up in a good dictionary]

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at http://www.wftpd.com or email
    23921 57th Ave SE | .
    Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
     
    Alun Jones, Mar 12, 2006
    #8
  9. Imhotep

    S. Pidgorny Guest

    G'day:

    "ynotssor" <> wrote in message
    news:...
    >
    > Your tax dollars at work. The dumbing-down and fattening-up of American
    > society continues unabated.
    >


    Not sure about the society as a whole, but regarding the taxpayers' money -
    absolutely!


    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-
     
    S. Pidgorny, Mar 13, 2006
    #9
  10. Imhotep

    Imhotep Guest

    Alun Jones wrote:

    ...contrary to popular belief. There are many Open Source "contributions" in
    MS products. Where do you think your TCP/IP stack comes from (Win 2000 and
    above)?

    Anyway, it is just an informative article and nothing more...

    Im

    > In article <>, Imhotep
    > <> wrote:
    >>"Coverity Inc. of San Francisco has released the results of a Homeland
    >>Security Department-funded bug hunt that ranged across 40 popular
    >>open-source programs. The company found less than one-half of one bug per
    >>thousand lines of code on average, and found even fewer defects in the
    >>most widely used code, such as the Linux kernel and the Apache Web
    >>server."

    >
    > What does this have to do with Microsoft Security?
    >
    > I'll note again - from a point of bugs per line, there's no such thing as
    > "more secure" or "less secure". There is "secure" and there is
    > "unsecure". One security bug renders you "unsecure", and as such it's
    > rather doubtful whether there really is such a thing as "secure".
    >
    > As an example, let's take a program with an escalation of privilege bug,
    > and
    > compare it with one that has a remote execution bug. Which one is more
    > secure? Mu. [Look it up in a good dictionary]
    >
    > Alun.
    > ~~~~
    >
    > [Please don't email posters, if a Usenet response is appropriate.]
     
    Imhotep, Mar 15, 2006
    #10
  11. Imhotep

    Imhotep Guest

    ynotssor wrote:

    Have you ever gone through code? If you did I think you would question it...

    > "Imhotep" <> wrote in message
    > news:
    >
    >> "Coverity Inc. of San Francisco has released the results of a Homeland
    >> Security Department-funded bug hunt that ranged across 40 popular
    >> open-source programs. The company found less than one-half of one bug
    >> per thousand lines of code on average, and found even fewer defects
    >> in the most widely used code, such as the Linux kernel and the Apache
    >> Web server."

    >
    > "The cleanest program was XMMS, a Unix-based multimedia application. It
    > had only six bugs in its 116,899 lines of code, or .51 bugs per thousands
    > lines of code. "
    >
    > Hmmm, one has to question the entire validity of a study that presents an
    > order of magnitude error in that summary calculation alone ...
     
    Imhotep, Mar 15, 2006
    #11
  12. Imhotep

    Imhotep Guest

    ynotssor wrote:

    BS! This has been need for some time. Since the overall quality of software
    has been "dumbed down". Oh indeed, let's look at how software involves our
    lives: Aircontroller software, Banking software, maybe software quality
    should have been taken more seriously along time ago?

    Im

    > I quoted and wrote in message news:
    >
    >>> "Coverity Inc. of San Francisco has released the results of a
    >>> Homeland Security Department-funded bug hunt ...

    >>
    >> "The cleanest program was XMMS, a Unix-based multimedia application.
    >> It had only six bugs in its 116,899 lines of code, or .51 bugs per
    >> thousands lines of code. "
    >>
    >> Hmmm, one has to question the entire validity of a study that
    >> presents an order of magnitude error in that summary calculation
    >> alone ...

    >
    > Your tax dollars at work. The dumbing-down and fattening-up of American
    > society continues unabated.
     
    Imhotep, Mar 15, 2006
    #12
  13. Imhotep

    Pete Guest

    Imhotep wrote:
    > "Coverity Inc. of San Francisco has released the results of a Homeland
    > Security Department-funded bug hunt that ranged across 40 popular
    > open-source programs. The company found less than one-half of one bug per
    > thousand lines of code on average, and found even fewer defects in the most
    > widely used code, such as the Linux kernel and the Apache Web server."
    >
    > http://www.gcn.com/online/vol1_no1/40053-1.html


    I tried to sign up for a trial to have my own code tested. But it thinks
    my email is invalid (OK, I know this one is, but those I tried were
    not). So their web page (cgi, php or whatever) is unable to parse an
    email address properly. So it give me 0.0000% confidence in the rest of
    their setup.
     
    Pete, Mar 20, 2006
    #13
  14. Pete wrote:

    >> http://www.gcn.com/online/vol1_no1/40053-1.html

    >
    > I tried to sign up for a trial to have my own code tested. But it thinks
    > my email is invalid (OK, I know this one is, but those I tried were not).


    There's a lot of places starting to reject anything from Hotmail, Yahoo,
    Gmail, and even some of the lesser known free webmail accounts because of
    people abusing them (mostly multiple accounts). Have you tried it from a
    "standard" ISP type email address?

    > So their web page (cgi, php or whatever) is unable to parse an email
    > address properly. So it give me 0.0000% confidence in the rest of their
    > setup.


    Could be a glitch.... maybe even something out of their control. Possibly
    even something like your ISP's spam filters refusing to respond the way
    their tests expect and masquerading as an open relay or something.

    Just some thoughts...
     
    George Orwell, Mar 20, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. duncan.smith
    Replies:
    2
    Views:
    660
  2. jo
    Replies:
    1
    Views:
    719
  3. Lawrence D'Oliveiro

    Open-Source Good, Closed-Source Bad

    Lawrence D'Oliveiro, Oct 16, 2005, in forum: NZ Computing
    Replies:
    1
    Views:
    482
    Gordon
    Oct 16, 2005
  4. Lawrence D'Oliveiro

    Closed-Source vs Open-Source Drivers

    Lawrence D'Oliveiro, May 4, 2009, in forum: NZ Computing
    Replies:
    2
    Views:
    523
    Lawrence D'Oliveiro
    May 5, 2009
  5. Lawrence D'Oliveiro

    Open Source vs Closed Source Security

    Lawrence D'Oliveiro, Mar 3, 2010, in forum: NZ Computing
    Replies:
    1
    Views:
    989
    Gordon
    Mar 4, 2010
Loading...

Share This Page