יום שני, יולי 21, 2008

The sunshine makes everything so dark...

Study: OSS Communities Are Often Slackers in Security

As usual, when you read these type of articles in reverse everything is so much clearer. So let's start from the end:
  • One paragraph before last, they bother mentioning the research company also provides "audited versions of several open source packages" and link to their friendly Open Review Project. OK, so it's not about security, or rather it's about their financial security...
  • Somewhere in the middle of the text, it becomes clear they only talk about open source Java and for the study they examined some 11 projects -- that's no doubt a typical representation of the FOSS community projects.
  • Also great quotes:
  • ..."One is the absence of any procedures for reporting bugs or security flaws."
    • Can you show me a decent FOSS project without a bugzilla?
    • Can you point to the URL for public reporting of bugs in proprietary products?
  • After reading through the text I found they try to compare "community" FOSS with "commercial" FOSS. They don't even mention proprietary.
  • Oh, we finally got to the title... yes, it was the communities they were bashing all along, not FOSS per-se. They actually claim to help FOSS by selling audited versions of the untrusted community editions. Just like our MS friendlies that simply love FOSS as long as it's on their terms.
So what can be said about this crap:
  • If these Fortify Software chaps really have a business plan around FOSS than a good advice would be -- if you want to drink from this well, don't piss in it...
  • And lets be clear about it -- I'm all for full disclosure of security flaws (FOSS or otherwise), but this article didn't disclose anything except paragraphs upon paragraphs of FUD.
Pretty obvious from the title, don't you think?