I found this blog entry on zdnet yesterday
Secure open source at least a year away.
Statements like this are very misleading and incorrect on countless levels. What it really boils down to is the Coverity chief scientist trying to make a case for their tool. In all seriousness, the flaw they found is a simple typo that only affected very new X.org versions. Of everything Red Hat ships, only Fedora Core 5 was affected and was fixed shortly after the issue went public due to the simplicity of the fix. Please keep in mind that I take security very seriously, but I also believe in accurate and truthful analysis of issues. Trying to make an issue sound far more spectacular than it is, is nearly as bad as claiming it isn't as severe as it should be.
I think the Coverity results should be view from the other side of the fence. A quote from the Coverity chief scientist:
I think we’re already making an impact. The fact we’ve found so many defects in a short amount of time proves this can be a valuable technique.
They found a large number of defects, this being the best security defect, and claim secure open source is a year away? At this point, I feel pretty good about the security of open source software.
