US Government Studies Open Source Quality

[This was originally published on the OSVDB blog.]

US Government Studies Open Source Quality reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled Homeland Security report tracks down rogue open source code. The author of the article, Gavin Clarke, doesn’t link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under ‘Library’, there is a link titled NEW >> Open Source Quality Report. Clicking that, you are faced with “request information”, checking the “Open Source Quality Report” box (one of seven boxes including “Request Sales Call” as the first option, and “Linux Security Report” is the default checked box), and then filling out 14 fields of personal information, 10 of which are required.

So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and “describe your project”).

Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free.

Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my “no plus” web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?!

Oh, if you don’t want to go through all of that hassle, you can grab a copy of the PDF report anyway.

Leave a Reply

%d bloggers like this: