I have been wracking my suspicious mind all day, trying to see what's wrong with this.
Maybe you can help.
It seems the Department of Homeland Security is putting up almost $1.25 million in grant money to help make open source more secure. Most of the money is going to Stanford, but Coverity and Symantec are getting some, too.
The DHS calls this the Open Source Hardening Project. It will be an automated system checking open source contributions for security holes, and it will let project managers scrub the bugs before they get released into the wild.
Rob Rachwald, Coverity's Senior Director of Marketing, was nice enough to walk me through it. He explained that usually just 5-10% of code is tested, since QA departments will simply create run-time scenarios for the code to perform.
Coverity tests all the code. "We make sure the rivets of the logic go in real well. We don’t worry about features and functions." It's the kind of testing that might take decades for people to do. At Coverity, which commercialized research originally done at Stanford, it takes just days.
"Take the latest Linux kernel. It has 6 million lines of code, 6 million pathways, and
675,000 79,876 functions. It would take a human being 28 years to go through that. We automate that. We can do it in a few hours." NOTE: I originally misheard Rachwald and when I got the correction, it was a precise figure in Version 2.6.12.)
And if you're worried about premature public releases of buggy code a spokesman added, "While Coverity will be pointing out defects publicly, they won't be making source code available that isn't already public, and they won't be providing information on the specific deployments of the software."
One more key advantage of all this for open source projects. It will help better identify the paths through which bug reports should travel. The Linux core kernel has a single contact, but other projects have multiple contacts, even confusing pathways through which bug reports pass. Under the contract this sort of thing will get straightened out. Think of it as free wetware testing.
It took about nine months to finalize the deal, Rachwald added, "light speed" for something involving the government. But that's the speed of viruses these days.
It all sounds like a win-win-win. Tell me it's not.