[attrition] US Government Studies Open Source Quality

security curmudgeon jericho at attrition.org
Tue Mar 14 09:53:44 EST 2006


(I recommend you read the original, as many parts of the text are links to 
other resources)


http://www.osvdb.org/blog/?p=104

US Government Studies Open Source Quality

"US Government Studies Open Source Quality" reads the SlashDot thread, and 
it certainly sounds interesting. Reading deeper, it links to an article by 
the Reg titled "Homeland Security report tracks down rogue open source 
code". The author of the article, Gavin Clarke, doesnt link to the company 
who performed the study (Coverity) or the report itself. A quick Google 
search finds the Coverity home page. On the right hand side, under 
Library, there is a link titled "NEW >> Open Source Quality Report". 
Clicking that, you are faced with "request information", checking the Open 
Source Quality Report box (one of seven boxes including Request Sales Call 
as the first option, and Linux Security Report is the default checked 
box), and then filling out 14 fields of personal information, 10 of which 
are required.

So, let me get this straight. My tax dollars fund the Department of 
Homeland Security. The DHS opts to spend $1.24 million dollars on security 
research, by funding a university and two commercial companies. One of the 
commercial companies does research into open source software, and creates 
a report detailing their findings. To get a copy of this report, you must 
give the private/commercial company your first name, last name, company 
name, city, state, telephone, how you heard about them, email address, and 
a password for their site (you can optionally give them your title, and 
describe your project).

Excuse me, but it should be a CRIME for them to require that kind of 
personal information for a study that I helped fund via my tax dollars. 
Given this is a study of open source software, requiring registration and 
giving up that kind of personal information is doubly insulting. Coverity, 
you should be ashamed at using extortion to share information/research 
that should be free.

Even worse, your form does not accept RFC compliant e-mail addresses (RFC 
822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to 
my "no plus" web page for not even understanding and following 24 year old 
RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?!

Oh, if you dont want to go through all of that hassle, you can grab a copy 
of the PDF report anyway.

http://osvdb.org/ref/blog/open_source_quality_report.pdf


More information about the attrition mailing list