Red Hat's Cox warns on open source security

Linux developer and Red Hat veteran Alan Cox urges caution to those who think Linux security is foolproof
Written by Richard Thurston, Contributor

Alan Cox, one of the most respected figures in the UK open source community, has warned of complacency over the security of open source projects.

Speaking to delegates at London's LinuxWorld conference on Wednesday, he emphasised that considerable sums of money were being spent to try and hack into open source systems.

And he cautioned that many open source projects were far from secure.

"There is a lot of money going into security, but the situation is worse because there is a lot of money going into breaking security. People are being paid to work, breaking down software systems," Cox, who is employed by Red Hat, told delegates.

"Things appear in the media like open source software is more secure, more reliable and there are less bugs. Those are very dangerous statements," Cox said.

"That analysis just looks at well-known projects. If you take 150 projects from SourceForge [a repository for open source code], you do not get the same marks as you would with the Linux kernel. The debate of Microsoft saying 'Look how secure we are' versus Linux saying, 'We're more secure' is not looking at the important points.

"High quality only applies to some projects — those with good code review and those with good authors," Cox added.

Cox, who has been closely involved with the development of the Linux kernel for many years, also took the opportunity to take a pop at a newly launched project which promises to measure the quality of open source code.

The Software Quality Observatory for Open Source Software (SQO-OSS) is funded by the European Commission and it launched on Monday. Cox told delegates that metrics must not become targets.

"It is good to build metrics, and SQO-OSS has great potential," he said. "But there are problems with this and there are risks associated with that kind of methodology.

"If you are working with metrics and you have 14 bugs, you fix the 13 easy ones, and the one hard one can wait. That happens in the security world, but it becomes inefficient."

LinuxWorld is running at London's Olympia conference centre until Thursday.

Editorial standards