Wednesday, January 9, 2008

Open Source Code Contains Security Holes

The following was sent to Charles Babcock at Information week in reply to an article entitled:

Open Source Code Contains Security Holes

As a developer and administrator of the Firebird Project I completely reject the statement you made in the above article.

"The somewhat moribund Firebird project, for example, is listed with 195 identified defects, of which it has verified zero and fixed zero. The active Firefox browser project, on the other hand,
has fixed 370 bugs, verified 56 and faces another 246 to verify and fix."

The Firebird project is in fact incredibly active - perhaps a look at this chart on our bug tracker might give you a clue.

http://tinyurl.com/yt5pgl

Firstly the Firebird project reviewed the Coverity results almost immediately they were published and found that the report isn't actually related to the Firebird engine. This URL shows our appropriate comments from the 7th March 2006:
http://www.firebirdnews.org/?p=180

Also more comments from Claudio on the 26th March 2006:
http://www.firebirdnews.org/?p=243

Secondly in a more detailed reply to the actual "PR" issue raised by David Maxwell, open source strategist for Coverity. If you had asked about this before printing the article you could have put some facts straight.

Nearly all of the 195 identified defects are in fact actually within an external piece of code we use for character sets and collation sequences ICU

http://www-306.ibm.com/software/globalization/icu/index.jsp

"The International Component for Unicode (ICU) is a mature, portable set of C/C++ and Java libraries for Unicode support, software internationalization (I18N) and globalization (G11N),
giving applications the same results on all platforms."

A open source project maintained by IBM. I will admit that we are using an older version of ICU (3.0) than is currently available and we will be upgrading to a newer version in the near future.
But this is not something that is a trivial exercise, as it means that any database using a different version of ICU would be incompatible with the version we ship. We plan to upgrade ICU
in Firebird version 2.5

Other defects reported are one in
usr/include/c++/4.0.2/i386-redhat-linux/bits/gthr-default.h
Not our problem either....

And there are four defects in firebird2/src/gpre/pretty.cpp a piece of old code used with a pre-compiler (gpre) to make BLR look good. BLR (Binary Language Representation),
Firebird's internal compiled language. This doesn't affect the Firebird server at all.

I would like you to print a correction or at least acknowledge the innacuracy of the article as regards Firebird.

Regards
Paul Beach

1 comment:

Carlos said...

Correct FirebirdNews post with Claudio's comments is http://www.firebirdnews.org/?p=243