Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Open Source Technology

The Linux Foundation Identifies Most Important Open-Source Software Components and Their Problems (zdnet.com) 29

Posted by msmash from the closer-look dept.
The Linux Foundation's Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) have revealed -- in "Vulnerabilities in the Core, a preliminary report and Census II of open-source software" -- the most frequently used components and the vulnerabilities they share. From a report: This Census II analysis and report is the first major study of its kind but isn't a final analysis. It takes important first steps and lays out a methodology for understanding and addressing open-source software structural and security complexities. Specifically, it also identifies the most commonly used free and open-source software (FOSS) components in production applications and examines them for potential vulnerabilities. To create this work, CII and LISH partnered with Software Composition Analysis (SCAs) and application security companies such as Snyk and Synopsys Cybersecurity Research Center. They combined private usage data with publicly available datasets for identifying over 200 of the most used open-source software projects.

These are not the programs -- Apache, MySQL, Linux -- that probably spring to your mind. For all their foundational importance, it's the small building block programs that are most widely used. They may be small, sometimes less than a hundred lines of code (LoC), but they're vital. As Frank Nagle, a professor at Harvard Business School and co-director of the Census II project, said: "FOSS was long seen as the domain of hobbyists and tinkerers. However, it has now become an integral component of the modern economy and is a fundamental building block of everyday technologies like smart phones, cars, the Internet of Things, and numerous pieces of critical infrastructure. Understanding which components are most widely used and most vulnerable will allow us to help ensure the continued health of the ecosystem and the digital economy."
This discussion has been archived. No new comments can be posted.

The Linux Foundation Identifies Most Important Open-Source Software Components and Their Problems More

The Linux Foundation Identifies Most Important Open-Source Software Components and Their Problems

Comments Filter:

  • And...? (Score:5, Informative)

    by necro81 ( 917438 ) on Thursday February 20, 2020 @10:03AM (#59746716) Journal

    These are not the programs -- Apache, MySQL, Linux -- that probably spring to your mind. For all their foundational importance, it's the small building block programs that are most widely used.

    So you tell us what they aren't. But were you (submitter, editors) planning to tell us what they are?

    No? Then I'll quote the relevant parts from TFA:

    Many of these sub-programs are in JavaScript. In large part, that's because they're small -- 112 LoC -- and often perform only a single function. In contrast, the average Python module in the PyPI repository has over 2,200 LoC. So, when you measure programs by dependencies, JavaScript shows up far more often.

    The most commonly used Javascript programs: Async, Inherits, Isarray, Kind-of, Lodash, Minimalist, Natives, Qs, Readable-stream, String_decoder

    The most widely used non-javascript software components: Com.fasterxml.jackson.core:jackson-core, Com.fasterxml.jackson.core:jackson-databind, Com.google.guava:guava, Commons-codec, Commons-io, Httpcomponents-core, Logback-core, Org.apache.commons:commons-lang3, Slf4j

    The article includes a brief description of each. I have just named the components they list for brevity.

    • Re: (Score:2)

      by hey! ( 33014 )

      Mostly the problems are where you'd expect to find them: obscure library routines which manage data received from the Internet, or give software access to underlying system resources.

      I confess I hadn't really thought much about logging as an attack vector, but it makes sense. OWASP has an interesting page on "log injection". Apparently you use logging to launch XSS attacks administrators' broswers, or to attack vulnerabilities in scripts which do offline filtering and processing of logs.

      • Re: (Score:3)

        by HiThere ( 15173 )

        The question is, "How much can you trust a report from 'The Linux Foundation'". Please note that this is not especially a pro-Linux group, though I believe it once was. These days it includes groups like Microsoft. And even Red Hat isn't as reliably pro-Linux as it used to be. (Red Hat promotes a particular subset of Linux use cases.)

        • Re: (Score:2)

          by hey! ( 33014 )

          No, the question is, how well supported by evidence and experience is that report?

          Everybody's got biases. If you're looking for an unbiased person you can believe without question, that person doesn't exist. Even if the Microsoft Windows product manager made this report, it still doesn't mean it's automatically non-credible.

          • No, the question is, how well supported by evidence and experience is that report?

            Everybody's got biases. If you're looking for an unbiased person you can believe without question, that person doesn't exist. Even if the Microsoft Windows product manager made this report, it still doesn't mean it's automatically non-credible.

            Well the report suggests that a bunch of javascript functions are more common than the standard c library which underlays a large fraction of what is in Linux. So no, it's not credible.

    • Javascript ist a standard.

      Whose implementation of the standard has all these problems ?

    • The most commonly used Javascript programs: Async, Inherits, Isarray, Kind-of, Lodash, Minimalist, Natives, Qs, Readable-stream, String_decoder

      That would be minimist, not Minimalist, and it hasn't received any updates since 2015. Somehow it still has 35 million weekly downloads on npmjs.com.

      npmjs.com - and by extension, npm, yarn, etc. - could do a great service to their users by recommending modern alternatives to packages that haven't had a release in over a year. In this case, replace minimist with yargs.

  • Finally! (Score:5, Funny)

    by rsilvergun ( 571051 ) on Thursday February 20, 2020 @10:15AM (#59746768)
    Somebody's going to fix the long outstanding issues with Tux Racer on S3 Virge cards. I've been waiting Years for this.

    • Re: (Score:3)

      by Z80a ( 971949 )

      Just upgrade to a matrox mystique.
      It has less screen effects, but it's a lot faster.

      • Re: (Score:1)

        by Anonymous Coward

        And if you are rich and have more than one display, you can use a Matrox Millennium G450 Dual Head.

  • These small programs are easy to fix though. (Score:5, Interesting)

    by jellomizer ( 103300 ) on Thursday February 20, 2020 @10:16AM (#59746770)

    I am guessing this is from the recent sudo flaw that came out.
    However these small 100 line programs are often easy to debug and also easy to rewrite, in a more modern secure method.

    Lets say there is a problem with the "cat" command. The program is so simple that it could be fixed, or rewritten to avoid the found problem.

    Also while Linux has a lot of these small programs. Being that their are small programs most of them can run for generations without needing to be updated. As their simplicity allows for proper bug free operation.

    • I am guessing this is from the recent sudo flaw that came out.
      However these small 100 line programs are often easy to debug and also easy to rewrite, in a more modern secure method.

      Lets say there is a problem with the "cat" command. The program is so simple that it could be fixed, or rewritten to avoid the found problem.

      Also while Linux has a lot of these small programs. Being that their are small programs most of them can run for generations without needing to be updated. As their simplicity allows for proper bug free operation.

      And systemd is over 1.3 million lines of code...

      • And systemd is over 1.3 million lines of code... and the very existence of every single on of them is a problem.

        Every time I update my Linux installations, systemd fucks with my DNS is some new and annoying way. I Google how to disable it, and next update it comes back and puts me offline again.

        Surely the entire systemd production chain should be charged under the computer mis-use act, and subjected to cruel and inhuman punishment.

        And to think people are worried about Huawei. My Honor7 is probably sendi

      • I can fix that by removing all the carriage return characters form the code.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Oh young grasshopper if it were so easy it would have already been done.

      Kidding aside - until you realize that folks/systems/software, etc. *depend* on the errant side effects.

      That old joke about it not being a bug but a feature? That rings more truth when the code in question is "foundational", such as these, and have been that way for a really, really long time as folks don't code around those problems but code *expecting* them.

      Personally, I think it's good that they are going back and looking at not jus

    • I read the article. Every program mentioned was not a C program you'd use in Linux. Everything was JavaScript or Java libraries. There was one lib I did not recognize (commons-io) so maybe some C developers link to it. I don't.

  • So this is really a Copy-n-Paste Script Kiddie aka Coder problem. And the pollution created by these "Coders" with their copying and pasting is so severe that it is impossible to determine the real extent of the issue, or even if it exists at all outside of the cut-n-paste Coders crowd.

    I hope no money was actually spent on this utter waste of time. I could have told you that having cut-n-paste "coders" pretending they were software developers was a bad idea. In fact you were told this a LONG TIME AGO and

    • Copy and paste is reuse. Reuse is usually considered good.
      I could re-write everything by hand and introduce more bugs, or I could reuse and hope the reference code is improved over time as bugs are found.

  • Shouldn't that be the Microsoft Linux Foundation (Score:3)

    by notdecnet ( 6156534 ) on Thursday February 20, 2020 @12:46PM (#59747272)
    “to understand how to compete against OSS, we must target a process rather than a company .. OSS is long-term credible ... FUD tactics can not be used to combat it .. Linux can win as long as services / protocols are commodities.” Vinod Valloppillil Aug 11 1998 [gnu.org]

    Condemn with faint praise ..

    important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive but not always understood.” ref [lwn.net]

    ‘The demos of OS/2 were excellent, crashing the system had the intended effect -- to FUD OS/2 2.0. People paid attention to the demo and were often supprised to our favor. Steve positioned it as --OS/2 not "bad" but that from a performance and "robustness" standpoint’ ref [edge-op.org]

  • OSS runs the world, according to tfa it brings certain challenges, such as;

    "...open source hasn't escaped the curse of legacy software. Developers move on to newer programs or newer versions of their old programs, but downstream programmers still rely on the old program."

    Uh, yeah, you're benefitting from a free open source piece of software, either update or if you want it to be maintained, contribute with either your time or money.

    And this is coming from the Linux Foundation, they should know better.

Slashdot Top Deals

"Your stupidity, Allen, is simply not up to par." -- Dave Mack (mack@inco.UUCP) "Yours is." -- Allen Gwinn (allen@sulaco.sigma.com), in alt.flame

Close