Bruce Schneier points out that the DHS is paying to have some popular open source software scanned for bugs, and then fixing the bugs! Although the articles he links to don’t quite say the same… DHS is providing the scan results and the open source projects are then handling the bugs themselves, according to those sources. Still, it’s downright neighborly of the DHS to do this for us, and thereby improve the quality of software security worldwide, at a rate of 1 fix every two hours since the start of the program in 2006. It’s also nice to see where Linux stands:
(average being approximately 1 defect per thousand lines)
The KDE interface contains 4,712,273 lines of
code, has fixed 1,554 defects, has verified another 25 and has only 65
to go. Gnome contains 430,809 lines of code, has fixed 357 defects,
verified 5 and has 214 to go.
Whew. KDE is huge, but it has fewer bugs-per-line, and it’s doing a better job of fixing those bugs. Go, KDE! You guys rock.
…and the skeptic in me is glad DHS isn’t doing the fixes for us. I’d worry they were slipping some back doors or spyware in. 😉