January 18, 2008

Python Gets Security Plaudit, Moves to Coverity Rung 2

This is something that hasn't yet made big news, but I don't know why not. For over a year now Coverity, funded by the Department of Homeland Security's Open Source Hardening project, has been working to report potential security flaws in open source projects. The company recently announced that eleven projects had been sufficiently proactive in responding to defect reports that they now move to "rung 2", giving them access to further levels of Coverity's hardening technology.

Of course Python is one of those projects. It says a lot for the developers that they responded so aggressively to the reports (some, inevitably, were specious but several represented significant issues that thanks to this initiative will never trouble Python users). The bottom line? Python, like Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Samba, and TCL, is a project whose developers take correctness and security seriously.

I anxiously await the results of the first scan of some Microsoft product, but I am not holding my breath. Even if the scan takes place (and for all I know Microsoft are using Coverity's scanners every day) Microsoft would not publish the results. This shows the value of openness, one of open source's major benefits: you know that security issues aren't being swept under the rug in the name of profit.

The tail end of a ZD-Net article suggests that some people are less than happy about this project because they feel it will lead to ill-informed discussion about security problems in open source software. While this isn't a battle that will be won in a day, being seen to assiduously fix reported software problems will eventually win against the lip service paid to security by so many commercial vendors. If you're looking for well-informed discussion then this blog is the place to come (he wrote, modestly).


Anonymous said...

Don't let yourself being dragged into politics. People can study and write about what they find. In the end, we geeks only care about technicalities. :)

Steve said...

Is that "we geeks" as in "you can't be one of us if you do care about politics?" Don't get me started!

One of the problems in western democratic society (and, I suspect, much of the so-called civilized world) is the governed abdicating their rights to monitor and control the government. The power to vote effectively means nothing in such a society. So in America today it's certainly "of the people", but it's definitely not "for the people". The people are sheep, as in 1984, and the ones that aren't can expect trouble.

As for "by the people", what does your approach say? That geeks aren't people? See another blog for something geeks should care about just as much as everyone else. Take a lead from Ka Ping Yee—wake up and smell the coffee.

Paddy3118 said...

Hi Steve,
I had posted much the same here: http://groups.google.co.uk/group/comp.lang.python/browse_frm/thread/ebdd561bb9757c93?hl=en
I found it strange that no one joined in, but their you go :-)

- Paddy.