US DHS Testing FOSS Security

Stony Stevenson alerts us to a US Department of Homeland Security program in which subcontractors have been examining FOSS source code for security vulnerabilities. InformationWeek.com takes a glass-half-empty approach to reporting the story, saying that for FOSS code on average 1 line in 1000 contains a security bug. From the article: 'A total of 7,826 open source project defects have been fixed through the Homeland Security review, or one every two hours since it was launched in 2006 ...' ZDNet Australia prefers to emphasize those FOSS projects that fixed every reported bug, thus achieving a clean bill of health according to DHS. These include PHP, Perl, Python, Postfix, and Samba.

What about MS?

[by Anonymous Coward]

Now if they would do the same to Microsoft. Oh yeah...

Re:What about MS?

[filbranden (1168407)]

Actually, it would be really nice if it was possible to do it with Microsoft. Microsoft (or most other companies that produce proprietary software) certainly can't do better than what the open source projects do, and certainly their code contains at least as much issues as the ones found in open source projects.

The ability to do code audits has always been one great advantage of open source software, but until now, it was mostly in theory. Now we start to see big code audit projects such as this one, showing that the advantage is real and that the results of the audit are good, since some of the projects have alread patched all of the issues, and certainly most of others will finish patching them soon. This shows that open source is here to stay, is going mainstream, and will not be stopped by any company's interests.

All issues that currently exist on Microsoft's code, on the other hand, will be unpatched. Unless they hire some consultant company (why not the same?) to do the audit on their code (certainly under NDA). But you can be sure that, if they do, for one, they won't publish the results of how many issues were found. No transparency there. And also, probably many issues won't be fixed as promptly as all of them were fixed in many of the audited open source projects. This is not a speculation, if you only look at how long it takes for them to fix issues for which there are security vulnerability reports issued, then you realise that the ones only they know about will certainly take much longer.

Re:

[Shados (741919)]

Well, technically, they don't need to -hire- some consultant companies to do it... While it WILL be under extreme DNA, it is not uncommon for Microsoft's customers to be allowed to get access to the source, if they're big enough.

Now, I realise it doesn't change your point at all, but its not like MS is the only entity with access to their own code: they have dedicated programs to share even their most closed pieces of code with their customers (if they're important enough).

Re:What about MS?

[splutty (43475)]

I see nothing wrong with a 3rd party specialized in this sort of auditing to actually do it, instead of a whole bunch of programmers & others who probably don't have that specialization, and are most often busy with actually being 'productive' and thus have no time to audit themselves (impossible) or others (not always efficient)

Re:What about MS?

[cp.tar (871488)]

This shows that open source is here to stay, is going mainstream, and will not be stopped by any company's interests.

It also shows that open source has failed to use a common tool to self audit - it took a third party to do so.

Since an audit is usually an independent review, I see it as only logical for it to have been done by a third party.

The point is, it is open. Anyone may perform an audit at any time they wish to do so.
And everyone apart from the developers themslves and the users of the software is third party, by definition.

Re:

[budgenator (254554)]

Feel free to pay to have any OSS project audited you would like to see made better.

Re:What about MS?

[rtb61 (674572)]

WTF? Your statement makes abso-fucking-lutely no sense at all. In open source there is no such thing as a third party or second party, anyone and I mean absolutely anyone, be they part of the government, employed by a corporation company or private individual that contributes to open source software is a first rate party.

That is what open source is all about, anybody can contribute their worth while efforts to it. Contribution to open source not only includes code, it also includes, auditing as well as actual innovation and even those other activities like distribution, documentation, promotion and support.

So your illogical claim of failure is in reality open source success. I will never understand why closed source proprietary zealots just don't get it, I suppose it just goes to prove greed and stupidity really do go hand in hand ;).

Re:Wow... FOSS looks pretty pathetic

[mr_mischief (456295)]

There are industry estimates that say average code in production contains 2 bugs per thousand lines of code. Some say that number is much higher. How many lines do you think are in Vista?

Yes, OSS has bugs. Everything from compilers to content management systems, surely. So do proprietary programs.

The more qualified eyes you get on a bug, the better chance you have of finding and fixing it. You can do that by having a big staff that pores over code again and again. You can do it by having lots of outside help, like in the case of popular OSS projects. One thing that helps is to have a fresh set of eyes look over something, which is much easier in OSS that in closed-source applications.

BusinessWeek had an article from a guy at Coverity back in 2006 about this. In that article [businessweek.com], Ben Chelf said that 4 of the top 15 programs on the quality scale measured by defects per thousand lines of code were OSS. He said that on average, the major-project OSS software they tested was indeed higher quality software than average. He said, though, that the absolute highest quality code was the cream-of-the-crop proprietary, closed source code from places that make things like fly-by-wire systems. Well, yeah. I'd want my airliner's fly-by-wire system completely bug-free, too.

Commercial software tends to harbor anywhere from 1 to 7 bugs per 1000 lines of code according to the National Cybersecurity Partnership's Working Group on the Software Lifecycle [zdnet.com]. Voluntary testing by Coverity requested (and probably paid for) by MySQL AB revealed that project to have all of 97 flaws, one of which could be a serious security issue. All 97 were to be fixed for the next release.

A similar study (same link) found 985 bugs in over 5,700,000 lines in the Linux kernel, or fewer than one bug per 10,000 lines of code. TFA has data on a newer version of the kernel -- 0.127 bugs per TLOC.

In Apache, 22 bugs total, 0.14 per TLOC, and three fixed so far.

PostgreSQL had 0.041 per TLOC, and have so far fixed 53 of the 90 bugs.

The glibc team fixed 83 of 83 bugs found.

OpenVPN had found one security-related bug in over 69,000 lines of code. As of later yesterday, it's officially security bug free according to the same testing people.

The list of officially security-bug free software [zdnet.com.au] includes Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.

So with Linux (0.127), glibc (0.000), Apache (0.140), PostgresSQL (0.041), Perl (0.024), PHP (0.000), and Python (0.000) powering a web server (numbers according to Coverity [coverity.com]), you have 0.0474 defects per thousand lines of code across the server. I'd say that's pretty good.

Re:Wow... FOSS looks pretty pathetic

[mattjb0010 (724744)]

So with Linux (0.127), glibc (0.000), Apache (0.140), PostgresSQL (0.041), Perl (0.024), PHP (0.000), and Python (0.000) powering a web server (numbers according to Coverity), you have 0.0474 defects per thousand lines of code across the server. I'd say that's pretty good.

I'd say your statistic is wrong. You need to multiply each average by the number of kloc per project (being careful to count those for the project version for which the averages were given), and then divide by the total kloc across all projects.

Re:Wow... FOSS looks pretty pathetic

[mr_mischief (456295)]

You're right. I forgot to weight them based on the portion of the installation they'd each represent.

It's also unlikely that any real installation would have exactly those packages installed, BTW. Almost any installation will have packages from CPAN, PEAR, whatever Python's central repository is called, some extra stuff like syslog, logrotate, bash, and at least one text editor at the very minimum.

Let's be a little more accurate than multiplying by defects per thousand lines to make up for my previous late-night gaffe. Let's use the actual defect numbers of verified but unfixed and unverified defects.

Apache has 19 defects in 135,916 LOC.
glibc has 0 defects in 588,931 LOC.
Linux has 461 defects in 3,639,322 LOC.
Perl has 12 defects in 496,517 LOC.
PHP has 0 defects in 474,988 LOC.
PostgreSQL has 37 defects in 909,148 LOC.
Python has 0 defects in 282,444 LOC.

That's 6,527,266 LOC and 529 defects. That's 6527.266 TLOC. I get 0.081 defects per TLOC. That's still pretty damn good.

As I said, there's probably some other software on that server, but it starts from a pretty strong base.

Re:

[ajs318 (655362)]

The biggest "security problem" in PHP is related to file upload by HTTP and the way Windows handles permissions. And it's not a problem with PHP per se, but with the way some people (mis)use it. Blaming PHP for insecure scripts is a bit like blaming Severn Trent for drownings!

Every file on a Windows box has execute permission set. This appears to be a designed behaviour of Windows. If you do not perform a chmod on it after upload, it keeps its execute bit. This is entirely to be expected, and any oth

Rabid MS hater?

[mr_mischief (456295)]

I'm so much of a rabid MS hater that I'm writing this post from Firefox 3b2 on Windows XP. Get real.

Where did you pull the 1% of OSS users being programmers from? Your ass? You didn't even cite your own ass? How rude! ;-)

Yeah, there aren't enough world-class programmers to go around the millions of OSS projects out there, or even the most popular hundred thousand of them. Maybe not the ten thousand most popular. Yet over half the patches for the Linux kernel come from people other than the core development

Fixed?

[sjbe (173966)]

A total of 7,826 open source project defects have been fixed through the Homeland Security review

Do they mean fixed [wikipedia.org] or fixed [wikipedia.org]?

Looking good, too bad the press didn't understand

[Bruce Perens (3872)]

The important point here is that proprietary software manufacturers aren't telling you how many security flaws they had. I bet it's more than 1 per 1000 lines, that is an incredibly excellent figure for the first time a scanner like coverity is run. I doubt proprietary work comes close.

You can't ever say that proprietary software is secure, because there's no way to prove it. With Open Source, you can come a lot closer to proving that it is secure, because you can employ every security test that exists.

The fact that a coverity scanner bug is reported doesn't mean it's an exploitable security flaw.

Bruce

Re:Looking good, too bad the press didn't understa

[QuantumG (50515)]

Although I understand what you're trying to say, it does seem a little irrelevant.

I'm a software security engineer. I can look at source code and tell you if it has some bugs in it that I would consider relevant to security. If I can't find any, I might tell you that it is more secure than if I could... but that's doesn't mean it is secure. I'll never tell you it is secure, because testing simply can't give you that. I can do this on proprietary software or I can do this on Open Source software.. the only difference is that, with the Open Source software, I don't need permission from someone to do the testing and other people don't need permission to check my work.

Does this mean that more people will check the Open Source software for security flaws? Not necessarily. It completely depends on whether or not someone has an interest in the security of that particular bit of software. Even assuming a similar level of interest in the security of comparable proprietary and Open Source software, there's no guarantee that those who have an interest in testing the Open Source software for security flaws will report back the findings. They may simply decide that the Open Source software is too insecure for their use and go with the proprietary solution - assuming they can have it similarly tested by a trusted third party.

All in all, the assumption that Open Source software is more secure than proprietary software is most likely true, but there's no hard data.. because the stats on the insecurity of proprietary software are guarded secrets - and that's probably the best reason to assume that proprietary software is less secure.

Re:Looking good, too bad the press didn't understa

[Bruce Perens (3872)]

Does this mean that more people will check the Open Source software for security flaws? Not necessarily. It completely depends on whether or not someone has an interest in the security of that particular bit of software.

I submit that people who are only looking for security flaws don't have a motivation to develop a deep understanding of the software. People who are out to modify the software do. And thus there are not just more eyes, but better eyes with Free Software.

There is a class of mathematically provable software languages, and you might be able to say with surety that programs in them are secure. For the languages we usually use, you can only say that you have tested them in the ways you know of. And only a person with access to the source can say that. If you want an independent asessment, Open Source software won't stop one from happening, and won't hinder what can be said with NDAs. That's why I think it's more secure.

Bruce

Re:

[QuantumG (50515)]

I submit that people who are only looking for security flaws don't have a motivation to develop a deep understanding of the software. People who are out to modify the software do. And thus there are not just more eyes, but better eyes with Free Software.

No offense, but that's completely the opposite of the facts. The vast majority of software engineers have no idea what they're doing when it comes to detecting, fixing and avoiding security issues. That's why tools like Coverity exist - and most the time the programmers can't even use them correctly. There are "security consultants" you can hire who basically just explain the results from Coverity, and they're not short on work.

But hey, don't take my word for it.. go have a chat with your friend Theo de

Re:

[DamnStupidElf (649844)]

I haven't tried this, and indeed there isn't much real work going on in provable software languages these days. But I think that it would be possible to set theoretical constraints on a program such that it serves data and does not allow it to be modified. There might be a good Ph.D. paper in it for someone.

It's possible to prove almost anything about the programs and operating systems, from type safety and runtime guarantees to any arbitrary set of predicates you want the system to satisfy. That assumes

Re:

[civilizedINTENSITY (45686)]

"For example, MacOS and Windows had a similar number of critical security patches last year."

Willing to stipulate for the purpose of this discussion.

However, there were dozens of Windows viruses and hundreds of thousands of compromised machines, and zero MacOS viruses.

Likewise willing to stipulate.

Thus, while a certain measure of vulnerability is comparable, the likelihood of actually being attacked is infinitely highder with Windows.

I would suggest this doesn't necessarily follow. It could

RTFA

[Pinckney (1098477)]

The important point here is that proprietary software manufacturers aren't telling you how many security flaws they had. I bet it's more than 1 per 1000 lines, that is an incredibly excellent figure for the first time a scanner like coverity is run.

Actually, the first line of the article reads "Open source code, much like its commercial counterpart, tends to contain one security exposure for every 1,000 lines of code, according to a program launched by the Department of Homeland Security to review and tighten up open source code's security."

Pessimism in article

[filbranden (1168407)]

Not only did the article say much like its commercial counterpart, but most of the numbers it shows are actually good for open source software.

For instance, most of the projects discussed had less than 1 bug for 1000 lines of code. For instance, the Linux kernel had .127 bugs per 1000 lines, and that on over 3 million lines of code.

Also, the article talks about key projects, such as the glibc (which is basically used by everything on a Linux system) that already fixed all the issues.

Even something huge and complex as Firefox has already fixed half of the issues, and is showing progress on the rest of them (by the fact that some were already verified).

Overall, I didn't get the half glass empty tone that the summary is implying. And what I found strange is that even the comments on the site itself, and many of them on /. itself, are also taking the pessimistic view.

I thought that this news are great for open source software. Shows that it has less security issues than average, that the issues are fixed quickly, and still that some programs are certified by a company for use in security related departments such as the DHS. What could be better than that?

Re:Looking good, too bad the press didn't understa

[unlametheweak (1102159)]

According to McAfee recently (http://yro.slashdot.org/article.pl?sid=08/01/05/0215201) and Microsoft et al, having your code exposed lets the bad guys exploit it's vulnerabilities. Of course if or when a weakness is taken advantage of, it would likely be fixed vary quickly through the FOSS community, instead of on the first Tuesday of every month like as in Microsoft's business model.

Re:Looking good, too bad the press didn't understa

[Waffle Iron (339739)]

It's like arguing that there's no point in locking your door because 100,000 houses with locks were broken into.

A more apt analogy would be: There's no point in locking your door using a limp spaghetti noodle because a limp noodle makes a completely ineffective lock.

Re:

[ClosedSource (238333)]

Analogies have their limits, so we shouldn't try to take it too far.

Even those who historically have critized "security through obscurity" never suggested that publishing their design or secrets would lead to better security, but rather that you can't assume your that your design can't be cracked.

Of course, the preferred approach is "security through design" which has nothing to do with correcting bugs. The latter could be called "security through maintenence". Thus while we might argue about whether closed

Re:

[mr_mischief (456295)]

There are numerous refutations to your "never suggested that publishing their design or secrets would lead to better security". Many experts have said precisely that.

An IT Security article on full disclosure [itsecurity.com] states that as early as the middle of the 19th century locksmith Alfred C. Hobbes thought full disclosure was important to clear up the rash of lock picking people were experiencing. It goes on to discuss exactly why full disclosure works so well.

David Wagner says in an article on security: "Today, many [berkeley.edu]

Re:Looking good, too bad the press didn't understa

[grcumb (781340)]

The important point here is that proprietary software manufacturers aren't telling you how many security flaws they had.

Indeed. FTFA:

"Our commercial customers wouldn't like it too much if we aired the number of defects found in their code," said Maxwell, when asked about the results from scans on 400 product lines of the firm's private customers.

One can only speculate about the, er, source of their discomfort.... 8^)

I bet it's more than 1 per 1000 lines, that is an incredibly excellent figure for the first time a scanner like coverity is run.

1 per 1000 lines is even more impressive as an average across all 180 FOSS applications tested. Most impressive of all are the highlights:

• SAMBA: 236 defects in 450,000 lines of code. 228 already fixed.
• Linux Kernel: 0.127 security faults per thousand lines of code. The kernel scan covered 3,639,322 lines of code.
• Apache: 135,916 lines of code, which yielded a security defect rate of 0.14 bugs per thousand lines of code. Or 1.4 per 10,000 lines of code, if you prefer. 8^)
• PostgreSQL: 909,148 lines of code, with a 0.041 per 1000 defect rate.
• glibc: 83 bugs in 588,931 lines of code, all since fixed.

Even some of those with more bugs have at least responded well:

• KDE: 4,712,273 lines of code, fixed 1,554 defects, verified another 25 and has only 65 to go.
• GNOME: 430,809 lines of code, fixed 357 defects, verified 5 and has 214 to go.

And my favourite 'backslider' of all, OpenVPN, has yet to fix 100% of the bugs found during this exercise. Of course, that's only 1 bug in over 69,000 lines of code....

These results should be viewed as excellent, by and large. This doesn't mean all this software is bug-free, just that there aren't a lot of easily preventable bugs in the code base. Most encouraging, though, is how fast they got addressed and fixed by the healthier FOSS projects.

Re:Looking good, too bad the press didn't understa

[locofungus (179280)]

Just has to do with coding methodology. strcpy is insecure, strncpy is more so. strncpy(src, dst, sizeof(dst)) is more secure than strncpy(src, dst, size_of_dst). Those are easy to fix security bugs. Other security bugs are harder to find as you have to trace the myriad of states the app can be in during mem writes.

strcpy is NOT insecure. It can be used insecurely.

But congratulations, you've just turned what could have been a borderline ok strcpy(src, dst) (ought to have been criticized at code review as the names of the variables are confusing) bit of code into (probably) a crash and definitely a buffer overrun if sizeof dst is larger than sizeof src.

I have lost count of the number of bugs I've had to fix after someone changed a perfectly good strcpy into strncpy. A common mistake is:

strcpy(dst, src);
becomes
strncpy(dst, src, sizeof dst);

and then you get a bug because only the first four characters of src appear in dst followed by garbage.

Of course, then it gets changed to
strncpy(dst, src, strlen(src));
because the original programmer did know what they were doing and the buffer was big enough.

Eventually we get to the brilliant:
strncpy(dst, src, strlen(src)+1);

Fantastic! What an improvement! And yes, it really does happen in what was once good production code because some idiot has heard that "strcpy is insecure".

Another one I've seen is:

dst = malloc(1000000);
strcpy(dst, "MESSAGE");

gets changed to
dst = malloc(1000000);
strncpy(dst, "MESSAGE", 1000000);

Yup, instead of writing 8 bytes, we'll write one million bytes because strcpy is insecure, but we won't fix the missing check for NULL. (there's a fairly good argument for not checking the return from malloc in much production code - if malloc actually fails then you're already so far up shit creek without a paddle that it's probably impossible to recover gracefully anyway. Obviously different considerations will apply if you're controlling a nuclear power plant than if you're writing a game)

strncpy is NOT a replacement for strcpy with a length parameter. Unfortunately strncpy has a very bad name, it should be called something like meminit_from_str() as strncpy ALWAYS writes n bytes and doesn't always write a null terminator. (I've also had to fix bugs where someone has replaced a correct use of strncpy with a version that guarantees to write the null)

strncat is a possibly safer replacement for strcat. However, the length parameter is so tricky to get right that I've seen cases where someone originally wrote strcat safely, that got changed to strncat "because it's safer" and then a bit later another change was made that caused a crash because the original change to strncat got the length parameter wrong.


extern char error_msg[][40];
char error[64];
strcpy(error, "ERROR");
strcat(error, error_msg[e]);


becomes


strncpy(error, "ERROR:", sizeof error);
strncat(error, error_msg[e], sizeof error - 6);


becomes
/* We'll just fit as much of the translated error as possible into this buffer */
strncpy(error, get_translation("ERROR:", lang), sizeof error);
strncat(error, translated_error_msg(e, lang), sizeof error - strlen(error));


of course, even more common is to miss the -6 or strlen(error) completely than to remember the extra -1 that is required on the length parameter.

(The man pages are IMO, confusing for strncat as they usually say something along the lines of "appends at most n characters")

Tim.

Re:

[liquidpele (663430)]

If a company wanted to be audited by them, they would have the techs doing the auditing sign heavy NDA (non-disclosure agreements) and then give them the code. This way, if the techs then give away any details about the code (or often even talk about the code) the company could sue.

So yes, they can get audited if they wanted, but they still would be the only ones who knew how bad the code was (besides the techs doing the auditing of course).

Must be run by Engineers...

[ComputerSlicer23 (516509)]

Uh.. from the article, the software is called "Prevent Software Quality System"... Wow, I can't think of a bigger misnomer for something that should help improve software quality. I sure don't want to prevent software quality in my own products.

The Actual Scan Site

[gQuigs (913879)]

http://scan.coverity.com/ [coverity.com]

Wow important stuff

[OzPeter (195038)]

I checked out the Coverity website [coverity.com] and saw on the list of projects the aalib ASCII art library [sourceforge.net] which according to the history hasn't been updated for something like 7 years.

Damn we better protect ourselves from Terrists hiding their WMD's in ASCI art

I wouldn't sweat it.

[rindeee (530084)]

DHS is a dysfunctional mess for the most part when it comes to INFOSEC/IA. They negative for the sake of negativity approach does not surprise me in the lest. If it's any comfort, DoD takes FOSS quite seriously and makes use of many great FOSS tools and platforms. It really is a cultural difference. Those in the DoD that get the job done are prone to use 'the best tool for the job'. FOSS is a gimme in many (and an ever increasing number of) cases.

False positives

[clem.dickey (102292)]

The article did not seem to give any data on false positives. A story here [internetnews.com] has Coverity claiming a 10% false positive rate. But there is no independent confirmation. It would also be interesting to know how hard it is to prove a false positive vs. how hard to fix a true positive. In other words, it it worth Coverity's time to further reduce the false positive rate.

Re:

[hyc (241590)]

In the OpenLDAP source base the false positive rate was over 75%.

Prevent 2.4.6
Tasks (hyc)
Help
My Settings
View Runs
Diff Runs
View Projects
Manage Users
Main Page

Return to view-projects

Logout

Lifetime Report
Analysis Summary
Run count 406
Lines of code 125,757,965
File count 333,676
Defect Summary
Bug count 4,223
Results count 31,134
Checker Summary

Well...

[Otter (3800)]

This seems like a genuinely useful activity for DHS, certainly more valuable than x-raying my shoes and confiscating my saline solution.

L, A and P, but where's M?

[ThreeGigs (239452)]

From TFA:
The popular MySQL open source database was not included in the scans for reasons that were not immediately evident.

Any suggestions as to why MySQL has no results? I'm stumped and wondering why one whole corner of a LAMP foundation was left unchecked.

Re:

[mr_mischief (456295)]

They did in 2006 [news.com] and found about 0.224 defects per TLOC.

MySQL uses Coverity and Klockwork [mysql.com] on their certified versions on several different platforms. The certified versions are based on the major releases of community versions, and are typically just more conservative in that they only make changes for critical and security bugs [livejournal.com].

There's speculation that the community edition tested was actually an old report without a retest even back then, as the certified version based on that community version had zero d

some notes on the article

[ehovland (2915)]

First off, prevent is not strictly a security flaw static-analysis checker. It is a static-analysis checker that checks for all sorts of defects. Some of which are directly related to security. Second, I have used prevent extensively over the past year and have found it to be an invaluable tool. It has a pretty low false positive rate and fixing the defects it finds means your code is better. On the code I work on, I find that we have a much lower defect count. But we also have pretty mature code and we really do attempt to make it as bullet proof as possible. But we still have defects.

My experience is with the C/C++ version of tool. We have also been evaluating the java version of the tool and it is good. But some of the free alternatives like findbugs are still better. I would use findbugs w/ prevent for java if I wanted good coverage.

Re:

[KillerCow (213458)]

Computer terrorism. They don't want a send-mail bug to allow a beachhead for compromising more sensitive systems.

Re:

[QuantumG (50515)]

Didn't you watch Die Hard 4? DHS obviously did.

Re:

[ianare (1132971)]

In the 21st century, you do have to worry about cyberattacks. The DHS uses some of these tools [linux.com], and it is a Good Thing (tm) they are making them more secure. They help propriatary software vendors [fcw.com] too, the difference is that with OSS everyone benefits.

Re:"The" PHP?

[JorDan Clock (664877)]

..the PHP, Perl, and Tcl dynamic languages...

"The" in this sentence refers to the list, not just PHP.

Re:"The" PHP?

[grcumb (781340)]

..the PHP, Perl, and Tcl dynamic languages...

"The" in this sentence refers to the list, not just PHP.

How could he possibly know that? He said already that he stopped reading after 'the PHP'.

/me ducks and runs...

Re:

[grcumb (781340)]

So close. Lets turn those into a proper Tcl list, shall we...

set thislist {Samba} {the PHP} {Perl} {Tcl dynamic languages} {Amanda}

No, I think he's deliberately speaking with a LISP.... 8^)

Re:

[Unoti (731964)]

Languages like And Such, and the PHP.

Re:

[bladesjester (774793)]

Languages like And Such, and the PHP.

Security and computer science as explained by a valley girl?

Like totally!

Re:

[Lehk228 (705449)]

I would like to consider you an hero of the open source movement

please become an hero.

Re:

[WK2 (1072560)]

There are two problems with your suggestion:

a) it is too restrictive, and would disqualify the GPL as free software. Remember, that the GPL is a distribution license, not a list of restrictions. You should be able to talk to other people (even publicly) about software without contacting the maintainer first. The behavior you describe is responsible, and generally recommended, but should not be forced.

b) as you have it worded, if the restrictions were followed, it would enable a maintainer to prevent anyone

Re:

[Guy Harris (3803)]

Just thought of this: Make it stipulation of GPL that if you publically report bugs or bug counts in GPL software, that you must also produce a detailed account of how to reproduce the bug, and you must provide that report to the maintainer of the current source (who you got it from, or the root source as listed in the code). Possibly a two-week window between notification (and acknowledgement) and publication.

Not all bugs are easily reproducible - and not all bugs are found by tripping over them. Conside

Re:

[Torvaun (1040898)]

They usually don't. But, enlightened individuals that many Slashdot users are, we do not feel the need to rip apart good things done by bad people. We will look for motive, yes, but we will also accept the good that they do.