SoylentNews

Arthur T Knackerbracket suggests a story from The Register:

The Linux Foundation's Core Infrastructure Initiative has completed its first-pass survey of the Linux toolset, and is highlighting which tools are most at risk.

While there's lots of attention on high-profile packages like crypto tools, web servers and mail agents, there's also a lot of packages that everyone uses and nobody cares about (compression and image libraries figuring high on the list).

On its Github page, the foundation's Census Project has released the final version of a survey by David Wheeler and Samir Khakimov, Open Source Software Projects Needing Security Investments.

While Wheeler and Khakimov write that their work was constrained by time, and to this stage concentrated mainly (but not exclusively) on tools associated with Debian, it's still worrying.

The list of “most exposed packages” is drawn from a range of metrics – how much maintenance it actually receives, how popular it is, and how important it is (that is, can you live without it?). After their automated assessment of more than 350 projects, the pair then ran human eyeballs to identify what they believe to be the most exposed to security vulnerabilities.

While the list includes more than 20 utilities, some of which are highly exposed to Internet risks (mail transfer agents, DHCP, BIND tools and so on), the survey is measuring not the “level of bugginess” per se, but rather how much damage a bug would do, and therefore how much TLC a particular tool or project needs.

[...] The Census project at GitHub is here, and the full list of tools examined is in this CSV.