I've been invited back to the Open Source Convention in Portland, Oregon. Last year's talk was about my Abacus MathML Editor. This year, I'm going as a panel member. The panel is one I proposed, asking the question, "Are open-source developers prepared for security bugs?"
For all I know, the answer could be yes. But given my experiences with bug 259708, the answer could be no as well.
I asked for this panel not to focus on Mozilla specifically, but to focus on general issues facing software developers. Security is still a relatively new concept for most open-source developers (even if it isn't for the industry).
Posted by WeirdAl at March 8, 2005 9:54 AMBug 259708 lists four "Lessons" learned (hopefully). May I suggest a fifth lesson (or "Bug handling Bug"), Lesson Number Zero: Shift the software "best practices" paradigm from Debugging to Preventing bugs.
This software best practices paradigm shift also means a paradigm shift in software tools, including the choice of computer language. One example: SPARK, a "strict subset" of ADA95, Proof More Cost-Effective Than Testing? (18 page PDF slide show presentation), used for the C-130J Super Hercules and C-27J Spartan freight aircraft and other mission critical software applications.
Question1: Does such a "strict subset" of C, C++, C#, D, FORTRAN, PERL, Postscript/Ghostscript, PHP, Python, Ruby, etc., etc., exist?
Question2: Are open-source developers prepared to change their software best practices paradigm from Debugging to Preventing bugs?
Question3: Are open-source developers prepared to change their choice of software languages to "strict subsets" such as SPARK?
Thank you,
Eddie Maddox