Debian and Gentoo Security Awareness

I subscribe to both the Debian Security and Gentoo Security lists. I’m one of those concerned sys-admins who wants to make sure I’m not running a vulnerable copy of software. Well, is it just me, or has the amount of security vulnerabilities increased over the past few months?

Open-source software had been widely accepted as some of the most stable, trusted, and worthwhile software to use. This was because there were very few security vulnerabilities, production versions of the software were rock-solid, and most of them were easy to administrate for a Unix admin. But, in the past few months, the sheer amount of security messages leads me to one of two conclusions. Either:

  • OSS is taking on individuals who are less capable of programming good code.
  • OSS and the community are starting to find new vulnerabilities that they didn't know existed before - and at a rapidly involving rate.
  • Competent progammers are getting lazy, not checking their code, and are acting like Microsoft - wanting to get the end product out quickly, regardless of the number of broken things and vulnerabilities.

If it is the foremost one, then I’m starting to question what is being taught to our Computer Science students in universities around the world. It’s reasonable to believe that more and more recently graduated, if not within the past 5-10 years graduated computer science / engineering majors are joining OSS projects - and rightfully so. The community is always in need of volunteers, and sometimes the volunteers are looking for experience on projects that have well founded roots and structure to them so they can better themselves (and their peers) at whatever programming job they get. But, if they are the ones contributing sloppy code, then how can our Universities and Colleges get away with not teaching good coding techniques? That IMHO is a critical aspect for a computing science student to learn at the beginning of their school work, not in the middle, at the end, or (heaven forbid) never at all.

If it is the second choice, then I applaud the OpenSource community for actually finding, fixing, and releasing these vulnerabilities. I certainly don’t want to be helping to maintain a customer’s website with 500K credit card numbers in a database only to find that one of the most blatent security holes in the database software has let 5 hackers through to obtain most, if not all, of those credit card numbers. I’m sure the rest of the community feels the same way with this. For the second choice, it would render this whole argument useless as it’s simply an applause rather than a rant anyways.

If it is the final choice, then my message to the open source community is wake the f*ck up. As Admiral Adama from Battlestar Galactica puts it, “You’ve lost sight of the true goal.” The true goal of OpenSource software is not to be first-to-market, is not to have the most features that pleases everyone, is not to make a quick fix to a problem and move on. It’s working with your peers on projects, deciding which features will take time to develop and truly developing the ones that benefit the community the most. It’s making sure that your code is rock solid. Above all, it’s making a product that everyone around the world can utilize, come to trust, and will turn to for the solution you’re providing again and again.

So, OpenSource community, will you make sure you’re writing the most efficient code?