LAMP Lights the OSS Security Way 178
Kevin Young wrote to mention a ZDNet article which goes into some detail on new results from a Department of Homeland security initiative. It's called the 'Open Source Hardening Project', and (funded to the tune of $1.24 Million) the goals of the initiative are to use a commercial tool for source code analysis to buck up the security base of many OSS projects. LAMP (the conglomeration of Linux, Apache, MySQL, and PHP/Perl/Python) was a 'winner' in the eyes of the project. From the article: "In the analysis, more than 17.5 million lines of code from 32 open-source projects were scanned. On average, 0.434 bugs per 1,000 lines of code were found, Coverity said. The LAMP stack, however, 'showed significantly better software quality," with an average of 0.29 defects per 1,000 lines of code, the technology company said.'"
Old news (Score:2, Informative)
Dupe (Score:1, Informative)
Maybe I've been reading too much politics lately.. (Score:4, Interesting)
I need to do something about my cynicism.
Re:Maybe I've been reading too much politics latel (Score:5, Insightful)
"There is one caveat: PHP, the popular programming language, is the only component in the LAMP stack that has a higher bug density than the baseline, Coverity said."
I assume he means the baseline of 0.434 bugs/1000 lines, and that if they removed PHP from the LAMP stack, that average bug count would go down even further.
Re:Maybe I've been reading too much politics latel (Score:4, Informative)
Spot on, as you can see on scan.coverity.com [coverity.com]:
PHP could soon have lowest bugs/KLOC! (Score:2, Informative)
Well, I know a way where you can leave PHP in that stack and still make the bugs/KLOC figure go down REAL
Re:Maybe I've been reading too much politics latel (Score:2)
Relax. Some of us are so cynical, we regard your statement as a ray of Pollyanna sunshine.
Fucking LAMP. (Score:5, Insightful)
To me, MySQL is like the MS Access of the Open Source world.
Re:Fucking LAMP. (Score:1)
I don't trust Oracle, I've seen them move into too many companies and push others out as well as backstab their own partners.
MySQL (Score:3, Insightful)
Honestly, I don't trust MySQL either. Every since they started going more commercial, there have been indications that eventually MySQL will be more closed up than open. But that's just speculation. So I've been slowly switching my stuff to use Postgresql. The only problem I have with postgresql is that it doesn't handle user administration as well. Other than that, its awesome.
Re:Fucking LAMP. (Score:3, Interesting)
Re:Fucking LAMP. (Score:2, Interesting)
What I would do. (Score:2)
Re:What I would do. (Score:2)
Re:Fucking LAMP. (Score:2)
Ever heard of ORM?
Clearly not the best thing for fine tuning your perfs (nothing is but raw SQL and good admins that known the DB), but try checking ActiveRecord for example, it does in fact allow table creation including column types, indexes, 1-1, 1-many and many-many relations between your tables (doesn't handle "true" foreign keys yet though), DB migrations (editing your databases, adding or removing columns or complete tables, modifying a column, ...) and everything is done in Ruby...
Re:Fucking LAMP. (Score:4, Interesting)
There are open (and closed) source products that have dealt with these issues for years. Modern ORMs products handle all of these matters, and automatically provide translation between portable query languages (such as JDOQL) and high-performance vendor-specific SQL depending on the database you deploy on.
It is astonishing to see these matters still being discussed as if no solution exists!
Re:Fucking LAMP. (Score:2, Insightful)
Re:Fucking LAMP. (Score:2)
Next...
Re:Fucking LAMP. (Score:3, Interesting)
The problem seems to happen when people have very large collections, greater than 10,000 tracks... updates become slow, and the whole system gets a little sluggish. Apparently, when using MySQL, the problem goes away completely... or at least until someone gets to 100k tracks or some
Re:Fucking LAMP. (Score:5, Insightful)
it's is pure bullcrap that MSSQL,Oracle,MySQL and PostgreSQL can not take the exact same complex query without having to rewrite it.
That is one of the big problems. the fact that some of my queries will not go cross platform because of stupidities thrown in by Microsoft, MYSQL, and Oracle that cause pain and suffering like this.
Re:Fucking LAMP. (Score:2)
As an undergraduate, I took a class taught on Oracle platform (it helps that the department got a hefty kickback from Oracle). I got sick for 2 weeks and studied out of a database text that was all about SQL '99. The prof smoked my grade for using SQL '99 syntax, despite, otherwise, getting the questions right.
Re:Fucking LAMP. (Score:2)
Unless there is some more to the story (is there?) then the the professor did the right thing.
Re:Fucking LAMP. (Score:4, Insightful)
But if he's getting a Computer Science degree (which seems to be the plurality of students on
Re:Fucking LAMP. (Score:4, Insightful)
Re:Fucking LAMP. (Score:2)
I'm in a beginning programming class, and the language is C++, and the tools that the teacher is forcing down our throats is MS Visual Studio.
I looked ahead at the programming examples, and it's all basic logic (really, I should have just tested out of this class, but the school's process for that doesn't allow for it due to the program I'm in - anyway. . . ). None of the C++ code relies on win32 libraries. It's all simple basic stuff - so I pasted some of the assignments into XCode on my
Re:Fucking LAMP. (Score:2)
The year was 2000, so good texts on SQL 99 were hard to come by. MySQL wouldn't honor referential integrity constraints, so it's output was just wrong, no matter how you sliced it. We were using Oracle.
Simply put, the Oracle syntax was 100% different for certain things. Tools and what not aside, if you put SQL 99 code into Oracle, I think that it would work (but don't remember so clearly on that point), but Oracle PL/SQL for triggers, stored procedures, and functions? It's not
Solution for the time being... (Score:2)
Re:Solution for the time being... (Score:3, Informative)
If you are relying on this type of architecture, where one machine does all the work, interoperability with seperate databases is probably not even needed.
But if you're working with a project that needs replication and such, then you really can't rely on DB and web server being the same machine. Sometimes you have to sell your software as an installable product and make it work on multiple DB platforms. Sometimes you have to write to foreign data
Re:Solution for the time being... (Score:2)
Re:Fucking LAMP. (Score:2)
Re:Fucking LAMP. (Score:2)
So, a SQL parser and compiler that can transform queries between these should be trivial to make, right?
The absense of this tool, combined with the absolute immense usefulness of it, tells my sense of logic that this is not really the case.
Re:Fucking LAMP. (Score:2)
subsetting is OK (Score:2)
The fact that so many databases do subset SQL99, however, is perhaps an indication that we would benefit from a well defined "SQL Light" subset.
Re:Fucking LAMP. (Score:2)
Um...
Writing software for people that may already have a database?
Even, god forbid, a different kind than the developer may have...
Checkpointing. (Score:2, Funny)
Tried it went back (Score:2)
it was a pain to figure out how to set up
It was a pain to properly configure (never did to my satisfaction, not much good documenation on editing the users file).
It was a pain to get programs that support it to work with it (eWiki) and then not all the features worked when I did (embedding images).
And then if I wanted to do clustering or distributed DBs and such down the road, it was turning out to be a pain finding information about that also.
I liked what I saw, the
Right on (Score:2)
Re:Fucking LAMP. (Score:2)
Sadly, I have found, that there are some basic operations that require non-standard-SQL. I wish SQL were just a *bit* more rich, so it weren't necessary. (One example, if I'm not mistaken, is last_insert_id(), to find the last value in an autoincrement insert. Not possible to do atomically without a server-specific function.) There are a handful
Re:Fucking LAMP. (Score:2)
I also wihed MySQL would reduce the marketing spin a little. Two examples:
Huh? (Score:2)
Re:Huh? (Score:3, Insightful)
Re:Huh? (Score:2)
I think auto-vaccuume was added in version 8.
Re:Huh? (Score:2, Informative)
Re:Huh? (Score:2)
From *your* GP:
> The only thing that needs vacuuming is dead tuples, and the only operations that create dead tuples are UPDATEs and DELETEs.
So apps that UPDATE or DELETE are "written wrong"???? Sorry, I'll go on thinking it's a problem with PostgreSQL.
Re:Huh? (Score:2)
Re:Huh? (Score:2)
Sorry - couldn't resist.
Re:Fucking LAMP. (Score:2)
Re:Fucking LAMP. (Score:2)
By using MySQL 5.0 [mysql.com].
HTH,
JP
Actually (Score:2)
I mean they have their place. If you're writing code for a company that has a standard DB in place they can cut down on transaction time, but if you're writing a more generalized pr
don't waste that $$$! (Score:2, Insightful)
Re:don't waste that $$$! (Score:1, Insightful)
They do - it says so in the article.
Re:don't waste that $$$! (Score:4, Funny)
Interested minds couldn't care less.
Re:don't waste that $$$! (Score:3, Interesting)
Many other studies and most programmers experiance shows that there is a high likelyhood of introducing a bug whenever you make a change to existing code, In fact on a per line of code written basis "fixes" are about the buggyist code you can write. So if you have .3 bugs per KSLOC (Kilo lines of code) in mature code like Apache orthe Linux kernal the new stuff that fixes a bug might have three times as many b
Re:don't waste that $$$! (Score:2)
The LAMP devs _have_ to write secure code. (Score:1, Insightful)
Running most of the internet?!? (Score:2)
That would be the coolest thing EVA!!!
Until Google gets around to buying them all and porting them to a simple but usable AJAX format!
Counting Defects (Score:2, Interesting)
And why count them, and then not remove them?
And one huge defect is better than more than one small ones?
Sounds like a crappy research to me, time to RTFA.
Re:Counting Defects (Score:3, Interesting)
Re:Counting Defects (Score:2)
With a tool whose goal is to scan for defects (out of bound access, memory leaks, uninitialized pointers, ...)
Duh?
http://scan.coverity.com/ - highest/lowest (Score:3, Interesting)
Just an FYI...AMANDA had the highest amount of bugs at 1.214 Defects / KLOC and OpenVPN the lowest at 0.100 Defects / KLOC.
YEAH RIGHT! (Score:5, Insightful)
Being someone who has used Amanda for many years and also XMMS, I find it hard to believe. Amanda has few problems (unless its the tape drive itself) and XMMS crashes sometimes when you just push a button in the "wrong way".
I think there can be a big difference between actual number of bugs and the perceived number of bugs. This almost makes counts like this useless for actually comparing software.
It is simple really (Score:2)
It could be one of its library's. XMMS source code doesn't give you the player (or at least not one that will do anything) if you used gentoo or LFS you would know this.
Oh and bugs != programming errors or design flaws. Even if you elimenate all the bugs you could still have a program that blows up your cat when you try to save a file. It will just do it without any bugs getting in the way. Wich is a good thing. Unless your the cat.
Re:It is simple really (Score:2)
I had a professor who used to say "There is no such thing as a bug. Take responsibility for your errors". All "bugs" *are* programming errors or design flaws unless you are actually talking about a moth that shorted out your powersupply
Re:YEAH RIGHT! (Score:3, Insightful)
Re:YEAH RIGHT! (Score:2, Informative)
* The Amanda developers (as far as I know) were not contacted that Amanda was on the list before it became news. But, Coverity _was_ quick and friendly about giving Amanda developers full access to the bug list for Amanda when we registered.
* Their checks do go beyond simple static checking; they are looking at possible values of index variables at different points in the code to assess potential overflows, and they are tracking malloc/free pretty well. You can find
Umm... Way to go Department of Homeland Security? (Score:4, Insightful)
I have to say, I'm suprised and impressed... a $1.2M grant to harden open source software? Thanks all seeing orwellian eyeball. I don't recall slashdot posting anything about the original grant but here's a link from the posted article to another about the funding [zdnetasia.com].
The data is meant to help secure open-source software, which is increasingly used in critical systems, analysts said. Programmers working on the Linux operating system, Apache Web server, BIND Internet infrastructure software and Firefox browser, for example, will be able to fix security vulnerabilities flagged by the system before their code becomes part of a released application or operating system.
0.00 defects per infinity lines of code (Score:4, Insightful)
Re:0.00 defects per infinity lines of code (Score:2)
Well... no. It doesn't know what the hell your code is trying to do, and therefore it doesn't know where the missing semi-colon is supposed to go, exactly.
Re:0.00 defects per infinity lines of code (Score:2)
GF: "The bath is leaking!"
Me: "Fix it then"
GF : "The bath is leaking! That's your job!"
Me: "Why? I know as much about plumbing as you do. Here, have a spanner."
GF: "What's a spanner?"
GF:
GF: "The bath is still leaking!"
Identifying and whinging about a problem is a completely seperate problem to identifying and actioning a fix.
PS. Spanner = Wrench
PPS. This isn't a slight on girlfriends in general, I'm sure some girlfriends can plumb, I just don't ha
Re:0.00 defects per infinity lines of code (Score:2)
Is that considered a bug? From what I recall, it will compile fine; a bug checker should not list that as a bug. Now, I believe GCC will warn you "recommend parens around truth value" or something like that, which should be noticed by the programmer if it indeed wasn't supposed to be an assignment plus truth check but was meant to be a comparison. I don't think anything can detect logic errors like "if (bread_is_done_baking) { turn_oven_on() }" (instead of turn_oven_off())...
Re:0.00 defects per infinity lines of code (Score:2)
The actual thing I was getting to is that an automated system can only detect things which are style issues which might indicate bugs. It does not indicate any actual bugs.
It'd be perfectly possible to create a piece of code with zero defects which crashes the system, just as it's perfectly possible to create a piece of code with more defects tha
No MySQL? (Score:2)
Test of Leaked Vista/IIS code (Score:5, Funny)
The findings were remarkable. They found 4,669 flaws, but since they didn't have the source code it resulted in a divide-by-zero error when they calculated the statistics on their Excel spreadsheet. The error triggered an unheard-of lockup on their Windows XP desktop.
On a positive note, recovering from the error alerted them to the presence of 43 strains of the MyDoom virus, 257 instances of Alexis spyware, and a bootleg copy of "Making of the Britney Spears Sonogram".
LA - fine M - okay P - ah so many varieties! (Score:5, Interesting)
Linux & Apache - rock solid stable releases.
MySql - Okay, getting better with each release.
P - This is the kicker. Perl, Python, PHP, and more so lately even that R one Ruby & Rails.
We are living in interesting times when we have so much choice... much like the Chinese curse. I do not see as how you can evaluate all of these platforms together in a general fashion. Where is the skew or bias in this study?
Someone on IRC recently was critical of a small website I put together in 2000. It was written in plain html, using frames *gasp*. Many people today do not realize how far web development has come since then.
-1 OffTopic, but... (Score:2)
That's not actually Chinese [noblenet.org], I'm afraid. It's just one of those things that's accepted without references; much like the one about eating 8 spiders a year while asleep [snopes.com] (and I love the ironic story behind that one).
Re:LA - fine M - okay P - ah so many varieties! (Score:2)
Static HTML for Static Content (Score:2)
Enjoyed it I did. (Score:2)
It was mostly for family members who did not get to attend.
what counts as a bug? (Score:2)
Security is not a feature, security is design (Score:4, Insightful)
Open source is great because of the many eyes, knowledge sharing and having nothing to do with corporate tradeoffs (the users have the largest voice. But it stinks in the fact that any noob can make programs which are badly designed and are a serious risk to security, however someone may learn faster form the mindsharing in the open source world. To have a well concise system so much more is needed than just some bugfixes. OSS is just a proof that closed source coorporate software is not good with security, but it isn't proof of sound security.
Most interesting is OpenBSD with it's oustanding default values, it's very own high profile malloc which prevents coders for lot of buffer underrunes/overruns, outperforming other malloc implementations. It has a very high quality of manpages and if you want to do something then you have to RTFM. That's what security should be, other than some less known bugs. I would even suggest that it would be better in the name of security that people would use program derivation (which is a very concise way to do formal verification). PIE and all other solutions maybe look practical, but they don't solve the lacking attention for "secure by design".
Will Coverity contribute? (Score:2)
Re:Will Coverity contribute? (Score:2)
Re:Will Coverity contribute? (Score:2)
Kernel Fuck Count (Score:2)
Maybe they've measured in a specific way [durak.org]?
From the lame-ass-metaphor dept. (Score:2, Funny)
For the love of all that's holy, please drop the hackish high-school-newsletter headlines.
Commercial metrics? (Score:2)
Maybe someone works for a company that used the tool on their code? Or some results have been published somewhere?
Hint to PHP devs (Score:2, Funny)
bug reports? (Score:3, Interesting)
Free software (Score:2)
Re:Solaris (Score:2, Funny)
Re:Solaris (Score:2)
You know what the difference is? The kernel and about five programs each - the rest is the same GNU software you find all over the place. When I tried Belenix 0.3, it was very much like an early Ubuntu. - only slower (and I never would have thought that *anything* could have gone slower than Ubun
Re:And for Windows XP? (Score:2)
Seriously, the "at least it's not Microsoft" argument shouldn't impress anybody. The desire to put out a superior product, period, should be motivation enough to undertake something along these lines.
Re:And for Windows XP? (Score:2)
Even if it is, would you consider this an objective metric? Everybody knows that the kloc is, at best, an informal estimate of effort. Perhaps the Microsoft code does in 5 lines what the Open Source code does in 150. There are no bugs in those 5 lines, but 5 in the 150. The 150 line implementation implements an algorithm that runs in poly time, but the 5 lines run in exponentia
Re:And for Windows XP? (Score:3, Funny)
I didn't know MS used Perl.
(unix tools excepted)
Re:And for Windows XP? (Score:2)
Congratulation you're an idiot?
The goal of Coverity's tool is not to estimate the quality of an algorithm, but the quality of the code e.g. memory leaks and stuff.
Re:And for Windows XP? (Score:2)
Re:And for Windows XP? (Score:2)
Next time you decide to call me an idiot, say something smart.
Re:And for Windows XP? (Score:2)
I take it you've never actually done any Win32 programming.
(I hear
Re:What about.... (Score:2, Funny)
They did test OpenBSD. (Score:3, Informative)