| Subject | Re. Fwd: - firebird database and security holes |
|---|---|
| Author | Paul Beach |
| Post date | 2008-01-09T08:20:53Z |
The following was sent to Charles Babcock
at Information week:
As a developer and administrator of the Firebird Project
I completely reject the statement you made in the above
article.
"The somewhat moribund Firebird project, for example, is listed
with 195 identified defects, of which it has verified zero and
fixed zero. The active Firefox browser project, on the other hand,
has fixed 370 bugs, verified 56 and faces another 246 to verify and fix."
The Firebird project is in fact incredibly active - perhaps a look
at this chart on our bug tracker might give you a clue.
http://tinyurl.com/yt5pgl
Firstly the Firebird project reviewed the Coverity
results almost immediately they were published and found that the report
isn't actually related to the Firebird engine. This URL shows our
appropriate comments from the 7th March 2006:
http://www.firebirdnews.org/?p=180
Secondly in a more detailed reply to the actual "PR" issue raised by
David Maxwell, open source strategist for Coverity...
If you had asked about this before printing the article
you could have put some facts straight.
Nearly all of the 195 identified defects are in fact actually
within an external piece of code we use for character sets and
collation sequences ICU
http://www-306.ibm.com/software/globalization/icu/index.jsp
"The International Component for Unicode (ICU) is a mature,
portable set of C/C++ and Java libraries for Unicode support,
software internationalization (I18N) and globalization (G11N),
giving applications the same results on all platforms."
A open source project maintained by IBM. I will admit that we
are using an older version of ICU (3.0) than is currently available
and we will be upgrading to a newer version in the near future.
But this is not something that is a trivial exercise, as it means
that any database using a different version of ICU would be
incompatible with the version we ship. We plan to upgrade ICU
in Firebird version 2.5
Other defects reported are one in
usr/include/c++/4.0.2/i386-redhat-linux/bits/gthr-default.h
Not our problem either....
And there are four defects in firebird2/src/gpre/pretty.cpp
a piece of old code used with a pre-compiler (gpre) to make
BLR look good. BLR (Binary Language Representation),
Firebird's internal compiled language. This doesn't affect the Firebird
server at all.
I would like you to print a correction or at least acknowledge
the innacuracy of the article as regards Firebird.
Regards
Paul Beach
Tel (France): +33 (0) 2 47 58 30 43
Mob (France): +33 (0) 6 79 24 32 32
at Information week:
As a developer and administrator of the Firebird Project
I completely reject the statement you made in the above
article.
"The somewhat moribund Firebird project, for example, is listed
with 195 identified defects, of which it has verified zero and
fixed zero. The active Firefox browser project, on the other hand,
has fixed 370 bugs, verified 56 and faces another 246 to verify and fix."
The Firebird project is in fact incredibly active - perhaps a look
at this chart on our bug tracker might give you a clue.
http://tinyurl.com/yt5pgl
Firstly the Firebird project reviewed the Coverity
results almost immediately they were published and found that the report
isn't actually related to the Firebird engine. This URL shows our
appropriate comments from the 7th March 2006:
http://www.firebirdnews.org/?p=180
Secondly in a more detailed reply to the actual "PR" issue raised by
David Maxwell, open source strategist for Coverity...
If you had asked about this before printing the article
you could have put some facts straight.
Nearly all of the 195 identified defects are in fact actually
within an external piece of code we use for character sets and
collation sequences ICU
http://www-306.ibm.com/software/globalization/icu/index.jsp
"The International Component for Unicode (ICU) is a mature,
portable set of C/C++ and Java libraries for Unicode support,
software internationalization (I18N) and globalization (G11N),
giving applications the same results on all platforms."
A open source project maintained by IBM. I will admit that we
are using an older version of ICU (3.0) than is currently available
and we will be upgrading to a newer version in the near future.
But this is not something that is a trivial exercise, as it means
that any database using a different version of ICU would be
incompatible with the version we ship. We plan to upgrade ICU
in Firebird version 2.5
Other defects reported are one in
usr/include/c++/4.0.2/i386-redhat-linux/bits/gthr-default.h
Not our problem either....
And there are four defects in firebird2/src/gpre/pretty.cpp
a piece of old code used with a pre-compiler (gpre) to make
BLR look good. BLR (Binary Language Representation),
Firebird's internal compiled language. This doesn't affect the Firebird
server at all.
I would like you to print a correction or at least acknowledge
the innacuracy of the article as regards Firebird.
Regards
Paul Beach
Tel (France): +33 (0) 2 47 58 30 43
Mob (France): +33 (0) 6 79 24 32 32