Re: Open source software buggier than corporate
From: Cameron L. Spitzer (spambait_at_merde.greens.org)
Date: 18 Sep 2005 22:33:31 GMT
In article <XucXe.7359$Jr.email@example.com>, paolo wrote:
> ray ha scritto:
>> On Sat, 17 Sep 2005 14:30:31 +0000, Billary/2008 wrote:
>>>> [Ray disputed the misleading Zdnet "vulnerabilities" report]
>>>So where did YOU get your qualifications to make such stupid statements?
>> [Ray:] By doing software support and development for a
>> profession for 30+ years.
> [Paolo:] ray is right....we have the sources for Firefox so it is much more
> simple to find bugs.....
That's part of it. There's another factor. Firefox was
written in the style that public collaboration forces on
open source authors. Open source software products tend
to be more modular. If they're successful, and therefore
require some ongoing maintenence, an open source author
can expect emails from maintainers who can't figure out
what the original author was doing. So experienced
open source authors tend to try to make their code readable.
Proprietary code doesn't get so widely reviewed and
commercial code-writing environments tend to encourage
fast code production rather than design-for-maintenance.
Software designed to be maintained over the long term
tends to be more reliable and secure than code written
as quickly as possible.
One of the Ten Key Values of the Greens in the US
is "Future Focus" sometimes expressed as "Sustainability."
Disposable stuff seems to be a bad idea and that includes
> but the big thing about Opensource is that bugs are discovered and
> suddenly patched
I'm on a mailing list for security-related updates to
my software distriution. Every week or so some package
I depend on gets revised. It's routine maintenance.
It seems to me there's usually been a Mozilla or Firefox revision
a day or two before or after one of these "vulnerabilities" counts
gets widely publicized. I didn't see one this time, maybe it's
an older story getting rehashed. The warning a bug's been found
usually comes before anybody reports an exploit.
I haven't paid careful track, but it seems to me I see
dozens of revisions to some large, popular
open source software packages for every troublesome security
issue in the field. This means lots of
security bugs in open source get fixed *before* exploits
of those bugs appear in the field.
Most plausibly, at least a dozen exploitable bugs get fixed
before they're exploited in the wild by bad guys
for every bug the bad guys find.
(There are exceptions. I'd bet you could fill a small stadium with
admins whose users' down rev phpBB installation got used for spamming.)
I am sure the proprietary software vendors have huge,
well paid staffs to examine and review their design
departments' output. But I can't believe they're as big
as the workforce who has inspected things like Apache
or linux-2.6 or Sendmail.
>....for proprietary software there is a big delay
> between bugs discoveral and patching so malware makers can exploit them
I believe that problem is inherent in proprietary
software. It costs money for a for-profit company to
release a revision. They have to maintain their own
test labs because they don't want to preview immature
code in public. There's profit in bundling a security
fix into an upcoming feature release instead of just
pushing out bug fixes as they happen. Nobody wants
to call up a paying customer with a recall of the
revision she's happy with. If the customers will
stand for it, the software vendor wants to do it.