[ossig] Linux guru warns on security in open source - Security - News - ZDNet Asia

NP Lee nplee at tm.net.my
Sat Oct 28 22:37:34 MYT 2006 

***********************
Your mail has been scanned by InterScan MSS.
***********************


http://www.zdnetasia.com/news/security/0,39044215,61962820,00.htm

*Linux guru warns on security in open source*
By Richard Thurston 
<mailto:zdnews-asia at cnet.com&Subject=Feedback%20on%20%27Linux%20guru%20warns%20on%20security%20in%20open%20source%27>, 
ZDNet UK
Friday , October 27 2006 09:55 AM

*Alan Cox, one of the most respected figures in the U.K. open-source 
community, has warned about complacency over the security of open-source 
projects. *

Speaking to delegates at London's LinuxWorld conference on Wednesday, he 
emphasized that considerable sums of money were being spent in 
attempting to hack into open-source systems.

Advertisement

And he cautioned that many open-source projects were far from secure.

"There is a lot of money going into security, but the situation is 
worse, because there is a lot of money going into breaking security. 
People are being paid to work breaking down software systems," Cox, who 
is employed by Linux seller Red Hat, told delegates.

"Things appear in the media, like 'open-source software is more secure, 
more reliable and there are less bugs.' Those are very dangerous 
statements," Cox said.

Cox said that analysis looks only at well-known projects. An analysis of 
150 projects from SourceForge <http://sourceforge.net/>, a repository 
for open-source code, would not result in the same high marks that the 
Linux kernel would get, he noted. "High-quality only applies to some 
projects--those with good code review and those with good authors," Cox 
said.

"The debate of Microsoft saying 'Look how secure we are' versus Linux 
saying 'We're more secure' is not looking at the important points," he 
added.

Cox, who has been closely involved with the development of the Linux 
kernel for many years, also took the opportunity to take a swing at a 
newly launched project that promises to measure the quality of 
open-source code.

The Software Quality Observatory for Open Source Software (SQO-OSS), 
funded by the European Commission, was launched on Monday. Cox told 
delegates that metrics must not become targets.

"It is good to build metrics, and SQO-OSS has great potential," he said. 
"But there are problems with this, and there are risks associated with 
that kind of methodology.

"If you are working with metrics and you have 14 bugs, you fix the 13 
easy ones, and the one hard one can wait. That happens in the security 
world, but it becomes inefficient."



-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/ossig_mncc.com.my/attachments/20061028/4cd34cb3/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: advertisement.gif
Type: image/gif
Size: 140 bytes
Desc: not available
Url : /pipermail/ossig_mncc.com.my/attachments/20061028/4cd34cb3/attachment.gif

More information about the ossig mailing list