[SATLUG] The difference between Linux and OpenSSL
bruce.dubbs at gmail.com
Sat Apr 19 11:45:44 CDT 2014
Borries Demeler wrote:
> Lack of funding is the problem of many open source projects, despite
> their incredible importance. This is made pretty clear in this article:
I can't read it because they want me to register and I don't want to do
But let me make some comments. Red Hat, SuSE, and Ubuntu have the funds
to do QA for critical programs. They either chose not to do that or
missed the problem too. How many full time equivalent (FTE) personnel
are needed for good software QA for the critical components such as
openssl, openssh, gpg, stunnel, etc.
ALL software is subject to bugs. The issue is how far after injection
do the bugs get before they are removed.
No matter how much the software is examined, the potential for some bug
getting through is still there. It doesn't matter how much money is
invested. The really impressive feat in the relatively recent past was
the Mars lander. That it was successful at all was a tremendous feat of
quality control. However, if you dig down, I bet they have made changes
at different times to the code due to unforeseen issues. Remember the
crash because they didn't convert between english and metric units?
If it were proprietary code, how long would it have taken to discover
What is the bug density of open source vs proprietary?
Looking at the openssl tarball, there are 349,834 lines of .c code and
97,247 lines of headers in 1191 files. Subtract about 50 lines from
each file for the copyright header and you get about 370K SLOC.
More information about the SATLUG