Oops, Look At That Phoenix, Rising From The AshesOops, Look At That Phoenix, Rising From The Ashes

In a story headlined, Open Source Code Contains Security Holes, I referred recently to the Firebird database project as "somewhat moribund." So imagine my surprise when a reader pointed out it was named project of the month in December by SourceForge, the dominant host of open source projects. Geez. Then there was the case of the supposedly "inactive" FreeBSD Unix.It's hard to keep up. I remember when Inprise [no, the firm had reverted to the name Borland Software] released the InterBase versioning database system, version 6.0, as open source code in 2000. It was a long-awaited move. A group of InterBase users and developers looked at Borland's terms for joining the InterBase community, took the code, and formed an alternate project, which they dubbed Firebird.

I once talked to a knowledgeable lead developer of InterBase at Borland and she convinced me its unique design brought several advantages to the database field. But for years, I couldn't see how either the Borland-sponsored project or the Firebird project were going anywhere. When I saw that Firebird developers appeared to be no-shows on Coverity's list of scanned open source projects, I figured the project didn't have enough energy left to correct an outsider's list of defects.

Well, I'm out of touch. Firebird has enjoyed an influx of new talent, including lead developer Dmitry Yemanov in Penza, Russia. He's aided by key developers Alex Peshkov of Yaroslavl, Russia; Vladyslav Khorsun of Dnepropetrovsk, Ukraine; Adriano dos Santos Fernandes of Sao Paulo, Brazil; Claudio Valderrama of Vina del Mar, Chile; and Arno Brinkman of Bemmel, The Netherlands.

Firebird is an excellent example of a point I was trying to make in the Top 10 Open Source Stories Of 2007, that open source code is now the world's enthusiasm and can no longer be viewed as the special preserve of Europe, North America, Australia/New Zealand, and Japan. My example was WSO2 in Sri Lanka. It could have been Firebird. It just goes to show what happens when you use a project whose logo is a phoenix, rising from the flames, as an example of "moribund."

Then there's Free BSD, the Berkeley Unix that preceded and in many ways anticipated the rise of Linux. Coverity is the producer of Prevent SQS, a code analysis system meant to sniff out defects by inspecting static code. Coverity was tapped by the Department of Homeland Security for a $300,000 contract to review open source projects and it posts defect lists on its Web site.

Coverity officials neglected to tell me that FreeBSD took its work on those scans off the Coverity site and works on them on an in-house server, using its own tailored version of Coverity's Prevent. None of that is evident on the Coverity scan site, which shows FreeBSD as registering 605 bugs in the scans, with zero fixed, which I duly reported in our Jan. 8 story.

Colin Percival, FreeBSD security officer, sent me the following message: "...the analysis performed by the FreeBSD project -- fixing, by my count, 200 bugs in the past four years and marking many more as false positives -- isn't reflected on the Coverity Scan Web site, leading to confusion, such as yours."

FreeBSD "has consistently lead the open source community in using the remarkable tools provided by Coverity and we have every intention of continuing to do so." In other words, the situation is under control and looks a lot more sane when viewed from the FreeBSD perspective, instead of the scan project's.