The Bane of Open-Source Bugs


So you've just downloaded that hip new open-source replacement for your favorite paid-for application and you're ready to crack it open and unleash all the awesome community-driven features contained inside.  Well, if this application is Songbird, you might want to hold off for a moment.  A recent blog post by the application's developers has revealed that the media player's iPod add-on does more than just transfer music to your device.  It also has the potential to corrupt or otherwise delete music straight from your hardware device.  Yikes!

It's not the first bug to hit an open-source project (duh), but it nevertheless shows that even community-driven software isn't impervious to game-breaking problems.  Consider Android, Google's open-source mobile operating system released as part of T-Mobile's G1 line of phones. In early November, enthusiasts discovered a fatal bug in the software, one that allowed any user to gain root access to the device.  How was that?  Well, upon loading the OS, the phone would fire up a command prompt.  Anything you subsequently typed into the phone -- in a text message, in an Internet browser, anything -- would be treated as an entry in this command prompt.  Pick the right word, like "reboot," and your phone would perform that action as a superuser.  Whoops!

We could repeat this exercise for any number of interesting (and hilarious) open-source bugs.  But here's the kicker: as extensive as these bugs might be, the very nature of open-source, community-driven development can help close these holes much faster than their retail counterparts.  In the previous Songbird situation, the bug has been reported and a fix has been found--presumably it'll be released in the next release of Songbird.

According to a report by Secunia , a vulnerability research company, Mozilla's Firefox Web browser contained 115 reported flaws in 2008.  That total beats out the combined reported flaws of rivals Internet Explorer, Safari, and Opera, with each individually capping out in the low 30s.  That said, Mozilla was faster at fixing publicly disclosed Firefox flaws than Microsoft with its Internet Explorer browser (the only other application considered for this measurement). It took Mozilla anywhere from 15 to 86 days to fix these zero-day vulnerabilities.  For Microsoft, patching flaws ranging from "less critical" to "high" in severity took anywhere from 78 days to 294 days.

It would be incorrect to take these figures and issue a blanket proclamation that open-source software is faster at fixing its problems than free or retail equivalents.  It's still an interesting note, especially given the popularity of these two programs--Songbird's being heralded as an open-source iTunes and Firefox is still chipping away at IE's market share.  Open-source bugs might really rain on a user's day, but that doesn't mean that they'll stay there for long.  In some cases, your closed-source software might fare far worse.

Around the web