Open Sauce Software
Tasty titbits from people using Linux and other open source software in business.
Thursday 17 January 2008, 5:12 PM
Red Hat bugs - another open source PR hit?
Red Hat and Firefox are reported to have more bugs in them than their Microsoft equivalents. But the truth is, as always, more complex. And once again, security is shown as a key point where rival approaches are bidding to distinguish themselves.
Secunia reported the discrpancy, stating in its 2007 Report that Red Hat had 633 flaws, compared with Windows' 123. However, Red Hat's Mark Cox quickly pointed out in a blog that a) the number was wrong, b) it counted flaws in all the third party products associated with Red Hat's OS, and worst of all c) it counted several bugs six times, since it added up fixes made for the same bug, on multiple Red Hat products.
Now, Secunia has a reasonably respected position in alerting the industry about security flaws, and promoting fixes, but it clearly isn't doing quite so well on the whole business of statistics and counting.
The interesting thing is why Secunia would push this story at all.
Even if there were a greater number of reported bugs on these open source products, that would not equal lower security. It could just mean that there is more publicity for known bugs in the open source world (as we saw recently, when code-checker Coverity announced it had found around 8000 bugs in open source projects, I commented here that this was actually good news for open source).
Obviously, whether or not Secunia deliberately got its sums wrong, it remains the case that "open source security flaws" is a much more arresting headline than "Microsoft security flaws" - for exactly the sam reason that "man bites dog" is more interesting than "dog bites man".
After all this time, we still know which way the the security argument goes.
Secunia reported the discrpancy, stating in its 2007 Report that Red Hat had 633 flaws, compared with Windows' 123. However, Red Hat's Mark Cox quickly pointed out in a blog that a) the number was wrong, b) it counted flaws in all the third party products associated with Red Hat's OS, and worst of all c) it counted several bugs six times, since it added up fixes made for the same bug, on multiple Red Hat products.
Now, Secunia has a reasonably respected position in alerting the industry about security flaws, and promoting fixes, but it clearly isn't doing quite so well on the whole business of statistics and counting.
The interesting thing is why Secunia would push this story at all.
Even if there were a greater number of reported bugs on these open source products, that would not equal lower security. It could just mean that there is more publicity for known bugs in the open source world (as we saw recently, when code-checker Coverity announced it had found around 8000 bugs in open source projects, I commented here that this was actually good news for open source).
Obviously, whether or not Secunia deliberately got its sums wrong, it remains the case that "open source security flaws" is a much more arresting headline than "Microsoft security flaws" - for exactly the sam reason that "man bites dog" is more interesting than "dog bites man".
After all this time, we still know which way the the security argument goes.
Previous
