back to article Linux Foundation wants open source projects to show you their steenking badges

The Linux Foundation says it plans to introduce a new, voluntary badge program designed to help IT admins identify open source projects that have made security a priority. The new effort is part of the Foundation's Core Infrastructure Initiative (CII), which aims to fund and support open source projects that are critical to …

  1. This post has been deleted by its author

    1. Hans 1

      re: 1980s_coder

      Upvoted for the ref to OpenBSD.

      But the whole point is, if your sources are easily available, bugs and vulns have a higher chance of being spotted. I am not saying this prevents the bugs from emerging, but even the brightest devs make mistakes - they are human after all.

      1. Charlie Clark Silver badge

        Re: re: 1980s_coder

        But the whole point is, if your sources are easily available, bugs and vulns have a higher chance of being spotted.

        The openssl fiasco would suggest that this isn't the case. The code was there for years and still nobody found the bugs.

        Open source is at best an invitation to peer review but this itself is a damn good start. Back to the original poster – the GPL does just muddy the issue.

    2. Captain Scarlet

      Not sure about propaganda, to me looks it like corporate red tape

      1. Charlie Clark Silver badge
        Thumb Up

        Not sure about propaganda, to me looks it like corporate red tape

        Indeed, have another thumbs up.

        The Linux Foundation reminds me of a Swiss admiral, you the one that never sails. We don't need badges but funding for CI setups and good static code analysis. A project with a dashboard detailing test coverage and what analyses have been run might actually be worth something.

    3. Tomato42
      Trollface

      "If you don't want features and use CVS in 21st century, just run OpenBSD and have done with it."

      TFTFY

  2. Frank Bitterlich
    Alien

    GPL == security?

    ... criteria being considered include whether the project is under an explicit open source license ...

    OK, so choosing the right license will contribute to the security of my product?

    Wow, I didn't know it was that easy...

    1. jilocasin
      Holmes

      Re: GPL == security?

      Maybe:

      GPL != security

      but instead:

      GPL == not getting sued by developers for telling people about bugs == more people willing to check software for vulnerabilities.

    2. Fibbles

      Re: GPL == security?

      It's not a stance I agree with but I think their logic is something along the lines of: anyone shipping GPL code who patches a security vulnerability must also make available the code for that patch. Compare that to a BSD license for example where two companies may be running the same software but one has access to patches the other does not.

      1. Charlie Clark Silver badge

        Re: GPL == security?

        Compare that to a BSD license for example where two companies may be running the same software but one has access to patches the other does not.

        This might work occasionally but it actually makes more work for the "cheater" because they have to work harder to keep their patched version in sync with an upstream source. This is why open source is valuable in and of itself and doesn't need any pseudo-philosophical justification. I think Google's record of kicking back changes on the various projects it uses is a good example for this, but other companies understand it equally well.

        Where a company does have some secret sauce that does provide some significant commercial advantage over the open source variant, then obviously they have to weigh up the costs of integration against the revenues generated by the commercial advantage.

    3. moxberg

      Re: GPL == security?

      Open sourcing does not add or subtract security. Changes to code do.

      What has to be assessed is the probability of closed source vs. open source getting patched. The likelihood of back doors being sneaked in. The odds of "phone home galore" aka Win10 being accepted into open source projects. The remoteness of, say, Linus Torvalds allowing downloaded font rendering code into kernel space vs. the reality of Microsoft clinging to that ludicrous design flaw.

      Calculating the percentages is left as an exercise to the reader.

  3. Anonymous Coward
    Anonymous Coward

    Patches? We don' need no steenkin' patches!

    ('cause we got badges)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like