[SATLUG] The difference between Linux and OpenSSL

Borries Demeler demeler at biochem.uthscsa.edu
Sat Apr 19 13:03:18 CDT 2014

The article lists a $2k *donation* budget and 1 full time employee in
charge of OpenSSL vs. solid funding thanks to the commercial backers of
Linux you mention. They say the issue of under-funding for some other
crucial open source initiatives is pervasive and a similar problem.
Also, they make a point of how wide-spread Linux is and how few people
actually know that. My point is that unlike the Mars lander you mention
(which did have sufficient funding) it is impressive how far OSS has
come often without solid funding, but more could be accomplished with
more funds. So it definitely *does* matter how much money is "thrown at
the problem".


On Sat, Apr 19, 2014 at 11:45:44AM -0500, Bruce Dubbs wrote:
> Borries Demeler wrote:
> >Lack of funding is the problem of many open source projects, despite
> >their incredible importance. This is made pretty clear in this article:
> >
> >http://bits.blogs.nytimes.com/2014/04/18/openssl-and-linux-a-tale-of-two-open-source-projects
> I can't read it because they want me to register and I don't want to
> do that.
> But let me make some comments.  Red Hat, SuSE, and Ubuntu have the
> funds to do QA for critical programs.  They either chose not to do
> that or missed the problem too.  How many full time equivalent (FTE)
> personnel are needed for good software QA for the critical
> components such as openssl, openssh, gpg, stunnel, etc.
> ALL software is subject to bugs.  The issue is how far after
> injection do the bugs get before they are removed.
> No matter how much the software is examined, the potential for some
> bug getting through is still there.  It doesn't matter how much
> money is invested.  The really impressive feat in the relatively
> recent past was the Mars lander.  That it was successful at all was
> a tremendous feat of quality control.  However, if you dig down, I
> bet they have made changes at different times to the code due to
> unforeseen issues.   Remember the crash because they didn't convert
> between english and metric units?
> If it were proprietary code, how long would it have taken to
> discover the problem?
> What is the bug density of open source vs proprietary?
> http://www.coverity.com/press-releases/annual-coverity-scan-report-finds-open-source-and-proprietary-software-quality-better-than-industry-average-for-second-consecutive-year/
> Looking at the openssl tarball, there are 349,834 lines of .c code
> and 97,247 lines of headers in 1191 files.  Subtract about 50 lines
> from each file for the copyright header and you get about 370K SLOC.
>   -- Bruce
> -- 
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to manage/unsubscribe
> Powered by Rackspace (www.rackspace.com)

More information about the SATLUG mailing list