Fixing the bug fixers

Rather than funding proprietary companies to hunt open-source bugs, government should subsidise community-developed alternatives

The open-source community is fond of touting the advantages that it believes its software-development approach has over proprietary methods.

Proprietary players are equally keen to point out that open communities of unpaid developers have a major flaw: bug-hunting is hard work and dull. Creating a celebrated feature in an open-source operating system or application is loaded with potential for community kudos but, according to the proprietary camp, the pain-staking drudgery of bug-hunting and fixing offers little in the way of reward for the unpaid open-source enthusiast.

Open-source bug-tracking tools are widely available, but the tools required to automate the process are expensive and in the hands of proprietary companies. The issue becomes more acute as open-source applications are knitted into the business mainstream, which will often demand more substance behind the "intrinsically cleaner" assurances from the open-source community.

Perceiving that an increasing amount of the nation's critical national infrastructure is based on open source, the US Department of Homeland Security announced in January 2006 that it would donate $1.24m in funding to researchers from Stanford University and two software security firms to hunt for security bugs in community-developed software. This week it was announced that the project has found and resolved over 6,000 bugs, with 700 developers signed up to the scheme and some 35 million lines of code scanned each day.

Now the effort is growing in scope, with 150 open-source projects on the list. But however many bugs are caught, there is one big flaw in the concept: a large chunk of the funding is going directly to two proprietary companies — Coverity and Symantec — which own the closed-source bug-hunting tools. While access to the skills of these companies should be welcomed, outsourcing open-source bug hunting to proprietary players slaps of short-term thinking. In the long-term, the $400,000 paid to Coverity and Symantec could be better spent funding the development of open-source bug analytic tools, and paying individual open-source bug fixers for their efforts.

A body which believes that robust open-source software will ultimately benefit everyone should also see the benefit in helping the open-source community to help itself. Give a developer a list of bugs to fix and he'll fix them for a month; give him the means to find those bugs himself and he'll fix them for life.