DHS gives up green to help secure OSS

[n0cmonkey]

Link.

Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity's commercial tool for source code analysis, representatives for the three grant recipients told CNET News.com.

List of open-source software to be analyzed in the Department of Homeland Security-sponsored project.

Abiword
Apache
BerkeleyDB
Bind
Ethereal
Firebird
Firefox
FreeBSD
Gaim
Gimp
Gtk+
Icecast
Inetutils
KDE
Linux
Mplayer
MySQL
OpenBSD
OpenLDAP
OpenSSH
OpenSSL
OpenVPN
Proftpd
QT
Samba
Squid
TCL
TK
wxGtk
Xine
Xmms
Xpdf

Source: Coverity

Sounds good to me. A member or two of OpenBSD's dev team work for Coverity and have been using their tools to test already. This should be really good for OSS though!

 

[Nothinman]

That is good news, the more people reviewing the code the better. But the list seems a little odd, makes me think they might be looking at Linux for desktops in the Us government. And I don't think XMMS is maintained anymore heh.

 

[stash]

Interesting that this money is going to a closed-source commerical solution.

 

[n0cmonkey]

Originally posted by: STaSh
Interesting that this money is going to a closed-source commerical solution.

The article made a lot of sense with regards to that. I mean, someone could probably spend a lot more money creating something from scratch or getting lint up to speed, but why since Coverity's product is already being used for both the Linux kernel and OpenBSD's source tree?

 

[stash]

I'm just glad that there will be another method for code review other than the multiple eyeballs process.

 

[spyordie007]

cool

 

[Nothinman]

I'm just glad that there will be another method for code review other than the multiple eyeballs process.

I don't remember the name of the school (Stanford maybe), but there's been a school running a source analyzer based off of GCC on things like the Linux kernel for some time.

 

[n0cmonkey]

Originally posted by: Nothinman

I'm just glad that there will be another method for code review other than the multiple eyeballs process.

I don't remember the name of the school (Stanford maybe), but there's been a school running a source analyzer based off of GCC on things like the Linux kernel for some time.

Coverity's work is based off of something from Stanford, and they've been running it against the Linux kernel for a while now.

 

[Nothinman]

Coverity's work is based off of something from Stanford, and they've been running it against the Linux kernel for a while now.

What do you mean by 'based off of'? AFAIK the Standford Checker is a fork of GCC which means it's GPL'd so if Coverity is a fork of that, they'd be in violation of the GPL by not giving out the source too.

 

[n0cmonkey]

Originally posted by: Nothinman

Coverity's work is based off of something from Stanford, and they've been running it against the Linux kernel for a while now.

What do you mean by 'based off of'? AFAIK the Standford Checker is a fork of GCC which means it's GPL'd so if Coverity is a fork of that, they'd be in violation of the GPL by not giving out the source too.

From the article:

But the real winner is Coverity, Quandt said. The company's technology is based on Stanford research, and Stanford's Engler is closely affiliated with the business.

So maybe it's not the Stanford stuff you were thinking of, but other research.