Code Quality: Open Source vs. Proprietary 139
just_another_sean sends this followup to yesterday's discussion about the quality of open source code compared to proprietary code. Every year, Coverity scans large quantities of code and evaluates it for defects. They've just released their latest report, and the findings were good news for open source. From the article:
"The report details the analysis of 750 million lines of open source software code through the Coverity Scan service and commercial usage of the Coverity Development Testing Platform, the largest sample size that the report has studied to date. A few key points: Open source code quality surpasses proprietary code quality in C/C++ projects. Linux continues to be a benchmark for open source quality. C/C++ developers fixed more high-impact defects. Analysis found that developers contributing to open source Java projects are not fixing as many high-impact defects as developers contributing to open source C/C++ projects."
Re:Managed langauges (Score:4, Informative)
Apparently you missed the cyrpto flaws in Android 's Java crypto library from last year that exposed private keys. Apparently writing things in Java guarantees jack and shit.
Re:heartbleed (Score:5, Informative)
Disclaimer, I work for Coverity. There's a write-up on why Coverity didn't find it out of the box here:
http://security.coverity.com/b... [coverity.com]
Re:Did they test OpenSSL? (Score:4, Informative)
They did examine heartbleed.
http://ericlippert.com/2014/04... [ericlippert.com]
Re:Managed langauges (Score:3, Informative)
Re:Not a surprise (Score:1, Informative)
Sure you can. It's called binary patching. It's how people patch bugs in closed-source games.
Yes its possible, you just need to ignore the license, use a decompiler, and single step through the code, fixing and patching. The only problem is that you are fixing *your copy only*. Now you can continue to ignore the license and spread your copy around, or you can make a binary patch and spread that around (ignore the first instance of license violation by using a decompiler). The only other issue is that you may have to patch the next version of the software if the company doesn't fix the original (they don't necessarily recognise you as a developer or important), and if they catch you spreading patches or fixes, they will prosecute (read the license for more info.). So yes, like cutting a slice out of a baked cake, you can do a 'binary patch', unlike those 'open source' patches which is more like altering the ingredients list. Note also that your fix might be duplicated by dozens or hundreds of others.