Open-source software's main claim to security is that because anyone can view the source code, developers can constantly look for bugs and fix them. And with a broad cross-section of expertise in the developer community, programmers with specific strengths can look for hard-to-understand, "deep," bugs and fix what others might miss. In his essay on the open-source movement, "The Cathedral and the Bazaar," developer Eric Raymond wrote, "Given enough eyeballs, all bugs are shallow." De Raadt led a team of OpenBSD developers on just such a review, cleaning up the source code for the Unix-like operating system and replacing functions that were known to be insecure with more robust substitutes. Yet, the "many eyes" theory, as it is known in the open-source world, doesn't work so well in reality, said WireX's Cowan. "It does not assure that many eyes are actually looking at the code," Cowan said. "In fact, it is likely that 'rock star' code that is hip to work on gets adequate attention, while the other 90 percent languishes, in many cases never even seen by anyone but the code's authors." And much of this unsexy code forms the foundation of Linux. Cowan hopes his Sardonix site will become a central registration point for auditing efforts, but for now, Linux and open-source software must rely on developers feeling obligated enough to commit to the drudgery of vetting source code for software bugs. After security researchers found the flaw in the Web scripting language PHP, a group of programmers decided to start auditing that popular project's code. "It's difficult to introduce new features and review the existing code at the same time," said Frank Denis, a part-time systems administrator for a French Internet service provider and leader of the PHP code-auditing project. "It's why we are trying to give a hand on that point. We won't introduce any new features, but we will fix potentially dangerous code." A central process to find bugs, such as Microsoft's Trustworthy Computing initiative, will never catch all flaws in open-source software, Denis added. "To break into your server, script kiddies will try totally unconventional tricks that have no chance of being part of any initial validation procedure," Denis said, referring to the class of online vandals who are not as technically adept. "The result of (our) different approaches will give a more extensive audit than any strict guidelines. That is the strength of free software: Everyone can put his own brick in the wall." Polishing the software
Despite the security problem with his own project's code, Jean-loup Gailly, chief software architect for Vision IQ and the co-creator of the Zlib compression library, stressed that Linux's development process still creates more secure code. "Open-source programs are subject to much more scrutiny and, in case of problems, fixed much more quickly than closed-source programs," Gailly said. "Apache is not more popular than Microsoft IIS (Internet Information Server) by accident; one of the reasons is that it is more secure." An additional layer of polish is put on the source code by companies and organisations such as Red Hat and Debian, which package their own Linux distributions, Gailly added. Linus Torvalds, a senior engineer at chipmaker Transmeta and the creator of the Linux kernel, thinks the open-source development style works well. "Most (code review) by far is simply people looking at code, often for some other reason that had nothing to do with formal auditing," Torvalds said. "I personally like it that way, and it's proven to work pretty well in practice." Moreover, rather than seeing a threat from Microsoft's new focus on security, Torvalds believes the move shows how weak the company's security used to be. Microsoft wouldn't provide an executive for comment on the issue. "Let's face it," Torvalds said. "Microsoft did their initiative because they've been so bad at security in general. They fix bugs when somebody drives a truck through them and they get embarrassed enough. Get embarrassed (often) enough, and you start creating 'initiatives' -- whether in politics or in commercial software." He continued: "In the open-source community, the community has so far been pretty good at policing itself without the embarrassment. Do bugs happen? Yes, of course. But do they get found and fixed without a new virus of the week that costs a few billion dollars of user time? You bet."
For all your GNU/Linux and open source news, from the latest kernel releases to the newest distributions, see ZDNet UK's Linux Lounge.
Have your say instantly, and see what others have said. Go to the Linux forum.
Let the editors know what you think in the Mailroom.
