[SATLUG] The difference between Linux and OpenSSL

Bruce Dubbs bruce.dubbs at gmail.com
Sat Apr 19 11:45:44 CDT 2014


Borries Demeler wrote:
> Lack of funding is the problem of many open source projects, despite
> their incredible importance. This is made pretty clear in this article:
>
> http://bits.blogs.nytimes.com/2014/04/18/openssl-and-linux-a-tale-of-two-open-source-projects

I can't read it because they want me to register and I don't want to do 
that.

But let me make some comments.  Red Hat, SuSE, and Ubuntu have the funds 
to do QA for critical programs.  They either chose not to do that or 
missed the problem too.  How many full time equivalent (FTE) personnel 
are needed for good software QA for the critical components such as 
openssl, openssh, gpg, stunnel, etc.

ALL software is subject to bugs.  The issue is how far after injection 
do the bugs get before they are removed.

No matter how much the software is examined, the potential for some bug 
getting through is still there.  It doesn't matter how much money is 
invested.  The really impressive feat in the relatively recent past was 
the Mars lander.  That it was successful at all was a tremendous feat of 
quality control.  However, if you dig down, I bet they have made changes 
at different times to the code due to unforeseen issues.   Remember the 
crash because they didn't convert between english and metric units?

If it were proprietary code, how long would it have taken to discover 
the problem?

What is the bug density of open source vs proprietary?

http://www.coverity.com/press-releases/annual-coverity-scan-report-finds-open-source-and-proprietary-software-quality-better-than-industry-average-for-second-consecutive-year/

Looking at the openssl tarball, there are 349,834 lines of .c code and 
97,247 lines of headers in 1191 files.  Subtract about 50 lines from 
each file for the copyright header and you get about 370K SLOC.

   -- Bruce



More information about the SATLUG mailing list