Subject | Open Source Code Contains Security Holes |
---|---|
Author | mariuz |
Post date | 2008-01-09T10:02:08Z |
Sent to you by mariuz via Google Reader: Open Source Code Contains
Security Holes via Paul Beach's Blog by Paul Beach on 1/9/08 The
following was sent to Charles Babcock at Information week in reply to
an article entitled:
Open Source Code Contains Security Holes
As a developer and administrator of the Firebird Project I completely
reject the statement you made in the above article.
"The somewhat moribund Firebird project, for example, is listed with
195 identified defects, of which it has verified zero and fixed zero.
The active Firefox browser project, on the other hand,
has fixed 370 bugs, verified 56 and faces another 246 to verify and
fix."
The Firebird project is in fact incredibly active - perhaps a look at
this chart on our bug tracker might give you a clue.
http://tinyurl.com/yt5pgl">http://tinyurl.com/yt5pgl
Firstly the Firebird project reviewed the Coverity results almost
immediately they were published and found that the report isn't
actually related to the Firebird engine. This URL shows our appropriate
comments from the 7th March 2006:
http://www.firebirdnews.org/?p=180">http://www.firebirdnews.org/?p=180
Secondly in a more detailed reply to the actual "PR" issue raised by
David Maxwell, open source strategist for Coverity. If you had asked
about this before printing the article you could have put some facts
straight.
Nearly all of the 195 identified defects are in fact actually within an
external piece of code we use for character sets and collation
sequences ICU
http://www-306.ibm.com/software/globalization/icu/index.jsp
"The International Component for Unicode (ICU) is a mature, portable
set of C/C++ and Java libraries for Unicode support, software
internationalization (I18N) and globalization (G11N),
giving applications the same results on all platforms."
A open source project maintained by IBM. I will admit that we are using
an older version of ICU (3.0) than is currently available and we will
be upgrading to a newer version in the near future.
But this is not something that is a trivial exercise, as it means that
any database using a different version of ICU would be incompatible
with the version we ship. We plan to upgrade ICU
in Firebird version 2.5
Other defects reported are one in
usr/include/c++/4.0.2/i386-redhat-linux/bits/gthr-default.h
Not our problem either....
And there are four defects in firebird2/src/gpre/pretty.cpp a piece of
old code used with a pre-compiler (gpre) to make BLR look good. BLR
(Binary Language Representation),
Firebird's internal compiled language. This doesn't affect the Firebird
server at all.
I would like you to print a correction or at least acknowledge the
innacuracy of the article as regards Firebird.
Regards
Paul Beach
Things you can do from here:
- Subscribe to Paul Beach's Blog using Google Reader
- Get started using Google Reader to easily keep up with all your
favorite sites
[Non-text portions of this message have been removed]
Security Holes via Paul Beach's Blog by Paul Beach on 1/9/08 The
following was sent to Charles Babcock at Information week in reply to
an article entitled:
Open Source Code Contains Security Holes
As a developer and administrator of the Firebird Project I completely
reject the statement you made in the above article.
"The somewhat moribund Firebird project, for example, is listed with
195 identified defects, of which it has verified zero and fixed zero.
The active Firefox browser project, on the other hand,
has fixed 370 bugs, verified 56 and faces another 246 to verify and
fix."
The Firebird project is in fact incredibly active - perhaps a look at
this chart on our bug tracker might give you a clue.
http://tinyurl.com/yt5pgl">http://tinyurl.com/yt5pgl
Firstly the Firebird project reviewed the Coverity results almost
immediately they were published and found that the report isn't
actually related to the Firebird engine. This URL shows our appropriate
comments from the 7th March 2006:
http://www.firebirdnews.org/?p=180">http://www.firebirdnews.org/?p=180
Secondly in a more detailed reply to the actual "PR" issue raised by
David Maxwell, open source strategist for Coverity. If you had asked
about this before printing the article you could have put some facts
straight.
Nearly all of the 195 identified defects are in fact actually within an
external piece of code we use for character sets and collation
sequences ICU
http://www-306.ibm.com/software/globalization/icu/index.jsp
"The International Component for Unicode (ICU) is a mature, portable
set of C/C++ and Java libraries for Unicode support, software
internationalization (I18N) and globalization (G11N),
giving applications the same results on all platforms."
A open source project maintained by IBM. I will admit that we are using
an older version of ICU (3.0) than is currently available and we will
be upgrading to a newer version in the near future.
But this is not something that is a trivial exercise, as it means that
any database using a different version of ICU would be incompatible
with the version we ship. We plan to upgrade ICU
in Firebird version 2.5
Other defects reported are one in
usr/include/c++/4.0.2/i386-redhat-linux/bits/gthr-default.h
Not our problem either....
And there are four defects in firebird2/src/gpre/pretty.cpp a piece of
old code used with a pre-compiler (gpre) to make BLR look good. BLR
(Binary Language Representation),
Firebird's internal compiled language. This doesn't affect the Firebird
server at all.
I would like you to print a correction or at least acknowledge the
innacuracy of the article as regards Firebird.
Regards
Paul Beach
Things you can do from here:
- Subscribe to Paul Beach's Blog using Google Reader
- Get started using Google Reader to easily keep up with all your
favorite sites
[Non-text portions of this message have been removed]