Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Linux Foundation serves up a tasty dish of BUGS

Lots of important tools get no developer love, which makes Linux a bit more risky

The Linux Foundation's Core Infrastructure Initiative has completed its first-pass survey of the Linux toolset, and is highlighting which tools are most at risk.

While there's lots of attention on high-profile packages like crypto tools, web servers and mail agents, there's also a lot of packages that everyone uses and nobody cares about (compression and image libraries figuring high on the list).

On its Github page, the foundation's Census Project has released the final version of a survey by David Wheeler and Samir Khakimov, Open Source Software Projects Needing Security Investments.

While Wheeler and Khakimov write that their work was constrained by time, and to this stage concentrated mainly (but not exclusively) on tools associated with Debian, it's still worrying.

The list of “most exposed packages” is drawn from a range of metrics – how much maintenance it actually receives, how popular it is, and how important it is (that is, can you live without it?). After their automated assessment of more than 350 projects, the pair then ran human eyeballs to identify what they believe to be the most exposed to security vulnerabilities.

While the list includes more than 20 utilities, some of which are highly exposed to Internet risks (mail transfer agents, DHCP, BIND tools and so on), the survey is measuring not the “level of bugginess” per se, but rather how much damage a bug would do, and therefore how much TLC a particular tool or project needs.

Hence while OpenSSL and OpenSSH are rated as critically important, those projects are already operating under the CII's wing.

That's not true of tools like the widespread Bzip2 compression tool, which hasn't changed since 2010, doesn't operate any forums the authors could find, and doesn't operate a source code repository (the source code ships only in the tarballs).

Likewise, reports that BIND9 has a “huge backlog” of issues is worrying; wget has “a fair number of hacks, and functionality that was 'tacked on' (which is not good for security)”; and while the “vital” gzip tool has “many contributors”, the last formal release was in 2013.

Libxpat1 is also singled out: maintenance “effectively halted” in 2012, and its “bug reports” link produces an error page; and keyutils – used to manage security keys – has no bug tracker and no mailing list.

The Census project at GitHub is here, and the full list of tools examined is in this CSV. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like