Key bugs in core Linux code squashed

Serious security bugs in key parts of the latest Linux code have been fixed, but some small glitches have been introduced, according to a recent scan.

In December, Coverity looked at version 2.6.9 of the Linux kernel, the heart of the open-source operating system, and found six critical defects in the core file system and networking code. In July, the code analysis company scanned the latest version of the Linux kernel, version 2.6.12, and found no such programming errors, Coverity CEO Seth Hallem said.

However, 1,008 defects were discovered in other parts of version 2.6.12. These coding problems, which could indicate security flaws, rest mainly in drivers, Hallem said. That's a slight increase compared with the earlier analysis, when 985 total defects were found, according to San Francisco-based Coverity.

"The bugs that we reported that were in critical pieces of the kernel were fixed," Hallem said. "At the same time, people still write buggy code. As new code gets introduced, there are new bugs."

As a result, the overall bug density--the number of bugs per thousand lines of code--only decreased from 0.17 defects to 0.16 defects, according to Coverity's scan.

The results of the analysis are a sign that Linux is maturing as an operating system and in the security of its core code. That could make it a more attractive option for users, corporate ones especially, as rival OS maker Microsoft works to bolster the security in its own software.

Coverity's code analysis tools look for common mistakes in writing C and C++ programming code. The company did not give details on the scope of the flaws it found. It rated faults in the file system and networking code as more serious because those pieces will be used by all Linux users, Hallem said. The other coding mistakes are considered less critical because bugs in drivers, for example, will only put users at risk if they use those drivers.

The analysis can't be used to measure the security of Linux next to that of Microsoft's Windows operating system. The Windows kernel source code is not available for scanning by Coverity, making an equal comparison impossible.

Microsoft does use analysis tools similar to those in Coverity's study to vet its Windows code. One tool, known as Prefast, runs on each developer's workstation to check code for simple problems. The other tool, Prefix, is run every night on the Windows source code to catch more complex issues.

Like last time, Coverity plans to make the results of its analysis available to Linux developers so the bugs it found can be fixed, Hallem said.

[heystoopid]

Why so few?

Why so few, Windows XP has more, and a new service pack is on the way! I think I'll upgrade my buggy M$ virus ridden system, to something that actually works!

[201293546946733175101343322673]

Simple

Because Linux is for losers :)

M$ vs Linux

In my opinion, Linux is a vastly superior OS. It is more secure by a long shot, more stable by a long shot, and just more reliable. With that said, M$ still wins because the excel at delivering mediocre software that looks pretty. Most folks have been trained to accept occasional crashes daily/weekly reboots, viruses, trojans, and service packs that break more things than they fix as standard computing. My biggest problem with all this is that the OS is way over priced -- expecially considering a typical upgrade costs nearly 50% of a whole new low-end system. Also, since most developers want to only develop for the most popular OS and not waste development time on fringe OSes -- developers will continue writing software for only Windows. The high price of Widnows will continue until there is a decent alternative that picks up enough market share to be an issue for M$ -- something I don't see happening for a while.

At least the server market is different. It doesn't rely on mass market software to appeal to buyers. I use Linux when I can, especially in server environments.

[201293546946733175101343322673]

Hello Linux Lover

I am glad you find your own inner peace :)

Bug Fixes means its maturing?

What a bunch of crap. Bugs are fixed so it is a sign that the OS is maturing? What about the increase of bugs found?

More bugs found = Maturation

[William Squire]

Agreed

Evaluating software based on the number of bugs that have been discovered is as pointless as choosing a city based on the number of traffic tickets administered.

No operating system is secure, and a hacker can exploit just one hole more easily than they can exploit 10. Is it going to make a difference how many exploits a hacker took advantage of to obtain a copy of your identity? Of course not. So nobody should care how many bugs are discovered, just that they are being actively pursued and fixed.

http://www.inaniloquent.com/PermaLink.aspx?guid=6372bcc7-0591-4eff-ab92-8227cb92da8c