I also take offence by that stupid text in the article.
Some comment to the article lists a long list of bugs that were all
from an advisory listing entries from reading the svn log.
Most of them were not security related at all blindly allocating
large amounts of memory or entering an infinite loop is at best a
DOS but not a security issue.
The author fails to realize the sole reason for there to be so many
entries in those advisories is that for over a year there has been
massive work doing fuzz testing, code auditing , removal of unsafe
calls etc etc.
A massive focus on stability and finding and fixing bugs.
Since we spend so much time and resources on these things it is
obvious we will find many bugs as if we didnt do any such thing.
The truth about the quality and amount of bugs can easily be seen in
the coverity logs.
Half of the entries are false positives so far.
A bug/loc value vastly below any other >1mloc project. a bug/loc
value much better even than most small projects.
The truth about the quality and the bugs is plainly visible to anyone to see.
On 3/6/06, Gerald Combs <gerald@xxxxxxxxxxxx> wrote:
> Andreas Sikkema quoted from http://lwn.net/Articles/174426/ :
>
> > "On the other hand, ethereal shows a very low defect rate, which can be
> > hard to square with the long list of security advisories from that
> > project."
>
> <rant>
> How is this hard to square? I (and others) have been busting our
> collective asses over the past year or so to find and fix security
> defects in Ethereal. Both the low defect rate _and_ the long list of
> advisories are a direct result of this. Sheesh.
> </rant>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
