The Trials And Tribulations Of Open Source Software Development

Source: The Register The Trials And Tribulations Of Open Source Software Development

Unsigned Applications And Unpatched Code

There are two stories today looking at open source software and small developers trying to get their apps to run on Windows that are related but probably not cause and effect.  RiskSense vetted a large number of open source programs looking for unpatched security bugs which are known and documented on sites such as the National Vulnerability Database.  They skipped the big ones such as Linux and Drupal as the large user base generally detects and reports issues vociferously and the patches tend to be made available quickly; even if not installed by the userbase immediately.

They looked at repositories such as GitLab, MongoDB and Elasticsearch to examine code for known security bugs and they certainly found them.  While it is not terribly surprising that some code contains problems, it is the trend that they are seeing that is worrisome.  The 2018 study revealed 421 bugs, however in 2019 that count has jumped to 968 last year which is not the result we want to see.  Slashdot mentions PostgreSQL as one of the worst for this particular issues with reporting and resolution delays of eight months.

The Register is concerned about a different aspect of using open source programs on Windows, as Microsoft has added more steps to running unsigned software.  If a developer does not pay for a code-signing certificate then installing their app on Win10 now involves a ridiculous number of nag screens to get through in order to be able to use the software.  They spoke with Tony Pottier, the developer of ImageView about how this impacts his end users.

The Register tried installing an unverified app and counted seven screens to get through before installation was possible.  The first step is quite possibly the worst, as when you attempt to download the file you are only offered the options to Delete or Cancel, unless you notice the additional options and open your browsers full download manager to find a way to convince your machine to download the file, long before being able to actually install it.  This is definitely going to have an effect on smaller developers who can’t afford to the process to get a certificate.

A developer of a Windows utility has protested that "Microsoft Defender SmartScreen is hurting independent developers" because of the number of warnings and obstacles placed in front of users who download installers that are not signed or sufficiently well known.

Video News

About The Author

Jeremy Hellstrom

Call it,, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!