Microsoft's many eyeballs and the security development lifecycle
-
You might argue that the mere fact that Coverity can do this work is just another set of eyeballs. But I reject that argument entirely. This is a government subsidy to go do some hard and useful work, not a magic property of the fact that these are open source projects. The real beneficiaries of the subsidy are not Coverity (who is providing a fine service), but other companies whose business model is primarily about services and not software. I think those companies are big enough that they ought to be able to do some of this themselves.
Or in other words, the fact that F/OSS software can be independently analyzed is irrelevant at best and an insidious subsidy for service companies at worst. :rolleyes:
-
You might argue that the mere fact that Coverity can do this work is just another set of eyeballs. But I reject that argument entirely. This is a government subsidy to go do some hard and useful work, not a magic property of the fact that these are open source projects. The real beneficiaries of the subsidy are not Coverity (who is providing a fine service), but other companies whose business model is primarily about services and not software. I think those companies are big enough that they ought to be able to do some of this themselves.
Or in other words, the fact that F/OSS software can be independently analyzed is irrelevant at best and an insidious subsidy for service companies at worst. :rolleyes:
That's not his point at all. He's saying that what Coverity is doing is not a property of something being open source, but the result of a paid contract. (I'd argue that independent analysis is largely irrelevant anyway since source code analysis is primarily a tool to help identify potential problems--in the end, what matter is if the actual software exhibits a behavior and that can be tested on all published software, open source or not.)
-
In article:
"A million monkeys banging on a million keyboards will eventually produce Twelfth Night."
"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." - Robert Wilensky
-
That's not his point at all. He's saying that what Coverity is doing is not a property of something being open source, but the result of a paid contract. (I'd argue that independent analysis is largely irrelevant anyway since source code analysis is primarily a tool to help identify potential problems--in the end, what matter is if the actual software exhibits a behavior and that can be tested on all published software, open source or not.)
Joe Woodbury wrote:
That's not his point at all. He's saying that what Coverity is doing is not a property of something being open source, but the result of a paid contract.
Source analysis - either automated static analysis or expert review - by definition requires access to the source code. That it also requires time and effort (== money) is irrelevant - you could have time, money, and the motivation to analyze a particular bit of software and without access to the source still be prevented from performing such analysis. Hence Microsoft's release of key source to Gov't agencies under limited circumstances. See also: various recent court cases requesting access to the source code for breathalyzers for the purpose of analyzing them for defects that would affect their accuracy/reliability.
Joe Woodbury wrote:
I'd argue that independent analysis is largely irrelevant anyway since source code analysis is primarily a tool to help identify potential problems--in the end, what matter is if the actual software exhibits a behavior and that can be tested on all published software, open source or not.
Well... black-box testing can be useful, but comprehensive testing isn't always feasible (it may be difficult to control inputs, or impractical to test all input combinations). Still, one of the better points he made was the real-world utility of techniques like fuzz testing in identifying problems.
-
I have to admit, "studliness ranking" sounds better than "man points".
Best wishes, Hans