Linux Foundation Project Will Evaluate Security of Open Source Software 37
An anonymous reader writes: The Core Infrastructure Initiative (CII), a project managed by The Linux Foundation, is developing a new free Badge Program, seeking input from the open source community on the criteria to be used to determine security, quality and stability of open source software. The first draft of the criteria is available on GitHub and is spearheaded by David A. Wheeler, an open source and security research expert who works for the Institute for Defense Analyses and is also coordinating the CII's Census Project, and Dan Kohn, a senior adviser on the CII.
Re: (Score:2)
Just one request... (Score:5, Interesting)
Please, please, PLEASE do not let this thing get morphed into Yet Another Certification Program.
Considering the expense and the mind-chewing bureaucratic colonoscopy that PCI (and similar) usually requires, I'd hate to see something similar have to happen to OSS dev projects - they can't afford that shit (either in time, attention, or money).
If you're truly going to do it? Advise, not dictate. Not all OSS projects have big-name sponsors and gobs of money, so make it a service to the smaller ones if you can.
short self-assess. Bug tracker, git, test suite (Score:3)
The current proposal involves a short self-assessment questionnaire and an automated script which checks a few things. The current (very early) draft of possible criteria is here:
https://github.com/linuxfounda... [github.com]
Major items include a big tracker (with responses to security bugs), source control, and peer review. These are all standard best practices which improve software quality.
If you have a one-person project and can't get someone else to review your commits, that's okay. You can keep
yeah, I'm at least three people (Score:2)
"Something like Moodle where AT LEAST three people review any change".
Yeah, Moodle is my pet project; I'm at least three people.
drunk (Score:1)
Not that I am bitter (Score:2)
And the black-hats promptly try really hard to compromised the evaluation process... 0 day express in 3.. 2..
Re: (Score:2)
Obviously, you don't run Apache... for a couple of years, that was a daily game. It isn't a dig at Open Source security, even though they have had their security nightmares. The problem is we have now a human process, which is very easy to compromise... In addition, will we see groupthink cause significant issues to be ignored, a problem currently not in existence within the open source community (sarcasm). It will be interesting and is better then what we have seen in the past.
Re: (Score:1)
Android, a Linux itself, proves compatibility with all the new malware for smartphones out there like no other does.
Re: (Score:2)
Not seeing what kind of mess the source code is may help some people sleep. Having identified one security breach since I moved from proprietary OS to open source one in 2002, leading to less than a percent of any and all applications I use being proprietary, and that breach was because of a bug in wordpress and compromised only my web server, really helps me sleep better. Before that breaks were normal - yet I didn't even run any server software meant to be accessed from outside back then.
Re: (Score:1)
I know I shouldn't feed the troll, but exactly how is this different from commercial software? I have only worked on commercial projects and most of the code is horrible. They are pushed to get the software installed and in production so money can be made. There is lots of cruft and hacks the customer will never see, thank god.
Re: (Score:1)
I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications. Sometimes it's OK to roll the dice on your home computer if you understand the risks and maintain adequate backups, but I recommend for my business clients never to use open source as you are literally entrusting your entire business to some unknown programmer who may or may not know what the hell they are doing and has zero accountability for mistakes.
"Unknown programmers", you say. So you have the names and contact information of each individual programmer who wrote Windows or whatever other commercial software you are using? No? In fact my own experience is - open source is the only time I have ever been able to directly contact the person who wrote (or maintains) the software, and not some useless scripted help-desk! Accountability? Did you ever read a standard commercial EULA before you agreed to it? Disclaiming liability is one of their primar
Every public venue is amateur hour ... (Score:2)
That said, while fully acknowledging the shortcomings of many such apps its wrong to be negative about some of the authors. Many are quite literally beginners, working on their first non-trivial program. The fact that they started and finished a non-trivial project puts them in the top echelon of their peers. High marks and congratulations for getting it done, now let me brutally comment on your
Re: (Score:3)
Every public distribution channel is amateur hour, open source or commercial.
This. If the download is compromised, it doesn't matter how secure the source is. Maybe what you thought was XCode is actually a CIA rootkit.
Why is there no gpg signature on Eclipse.org downloads? Why are the jars in the eclipse executable even signed if the signatures are not verified by default in Eclipse? Why does the Oracle Java 8 ppa:webupd8team for Ubuntu download and install from http sources just after I typed in sudo?
Re: (Score:2)
I've seen so much open source software with fundamental coding and security errors I shudder every time I see someone using one of these applications.
You had me at this, but then lost me with
but I recommend for my business clients never to use open source
Yes, some popular parts of open source could use an huge overhaul on coding practices and designs, but they're still pretty decent most of the time. Especially the core code, like the Linux Kernel, lots of great code quality overall.
Re: (Score:2)
Because kernel.org=/=The Linux Foundation?
Intentional/unintentional use? (Score:1)