The Linux Foundation's Core Infrastructure Initiative has completed its first-pass survey of the Linux toolset, and is highlighting which tools are most at risk.
While there's lots of attention on high-profile packages like crypto tools, web servers and mail agents, there's also a lot of packages that everyone uses and nobody cares about (compression and image libraries figuring high on the list).
On its Github page, the foundation's Census Project has released the final version of a survey by David Wheeler and Samir Khakimov, Open Source Software Projects Needing Security Investments.
While Wheeler and Khakimov write that their work was constrained by time, and to this stage concentrated mainly (but not exclusively) on tools associated with Debian, it's still worrying.
The list of “most exposed packages” is drawn from a range of metrics – how much maintenance it actually receives, how popular it is, and how important it is (that is, can you live without it?). After their automated assessment of more than 350 projects, the pair then ran human eyeballs to identify what they believe to be the most exposed to security vulnerabilities.
While the list includes more than 20 utilities, some of which are highly exposed to Internet risks (mail transfer agents, DHCP, BIND tools and so on), the survey is measuring not the “level of bugginess” per se, but rather how much damage a bug would do, and therefore how much TLC a particular tool or project needs.
[...] The Census project at GitHub is here, and the full list of tools examined is in this CSV.
(Score: 1) by anubi on Friday July 17 2015, @05:14AM
Its not just Windows anymore....
Things are just getting too damned complicated.
Very few, if any, understand what is going on.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 5, Insightful) by deimios on Friday July 17 2015, @05:45AM
Well thanks to the Unix philosophy we can just replace the buggy utilities if need be. Since every small program just does one specific thing right? Right?
(Score: 5, Funny) by Snotnose on Friday July 17 2015, @09:46AM
Yep. All systemd does is bring your Linux box up. Simple, small, what could possibly go wrong?
When the dust settled America realized it was saved by a porn star.