Category Archives: Open Source

Open Source, Free Software, and similar

Another curl scan shows work to do

The nice guys on Coverity did a new scan on curl (the 7.19.0 source code) and they dug a bunch of new flaws. The previous version they checked was 7.16.1, release some 20 months before. The new changes are not only because of how the code has changed in the mean time, but it seems their scanner have improved a bit since the last time as well!

Here’s a sample view of how libcurl might dereference a NULL pointer with a step-by-step explanation on what conditions that lead to the flaw:

They identify 22 flaws and I found it interesting to compare the top list of bad functions as reported by Coverity with the complexity list I showed the other day. First we need to ignore the 9 flaws Coverity found in the ‘curl’ tool code (i.e not within the library). Then the 10 remaining functions with flaws marked by Coverity are:

  • Curl_getinfo (4 flaws, all the other ones have one each)
  • Curl_cookie_add (present in the complexity top-10 table)
  • FormAdd (present in the complexity top-10 table)
  • parsedate
  • ftp_parse_url_path
  • tftp_do
  • resolve_server
  • curl_easy_pause
  • add_closure
  • Curl_connect

See? Only two of them were present in that list. The Coverity tool does in fact also count the complexity for each function, and while it doesn’t match the values pmccabe shows exactly, they seem to agree in general about what functions that are the most complex ones.

Ok, now let’s go work on fixing all these problems…

Meizu M3 displays Rockbox

Just days after the nice Sansa v2 LCD screenshots, the guys on the Meizu front brought this picture (photo taken by Frank Gevaerts).

It does show a working LCD driver although of course the colours are all messed up due to some glitch still remaining in there…

It’s somewhat confusing with another model called M3, as Rockbox already runs on the iAudio M3 since March 2008. I think we need to refer to the Meizu M3 as MM3 or perhaps always with Meizu prepended or similar to differentiate between them properly.

Nice job!

Curl Cyclomatic Complexity

I was at the OWASP Sweden meeting last night and spoke about Open source and security. One of the other speakers present was Simon Josefsson who in his talk showed a nice table listing functions in his project sorted by “complexity“. Functions above a certain score are then considered “high risk” as they are hard to read and follow and thus may be subject to security problems.

The kind man he is, Simon already shows a page with a Curl Cyclomatic Complexity Report nicely identifying a bunch of functions we should really consider poking at to decrease complexity of. The top-10 “bad” functions are:

Function Score Statements Lines Code
ssh_statemach_act 254 880 1582 lib/ssh.c
Curl_http 204 395 886 lib/http.c
readwrite_headers 129 269 709 lib/transfer.c
Curl_cookie_add 118 247 502 lib/cookie.c
FormAdd 105 210 421 lib/formdata.c
dprintf_formatf 92 233 395 lib/mprintf.c
multi_runsingle 94 251 606 lib/multi.c
Curl_proxyCONNECT 74 212 443 lib/http.c
readwrite_data 73 127 319 lib/transfer.c
ftp_state_use_port 60 195 387 lib/ftp.c

I intend to use this as an indication on what functions within libcurl to work on. My plan is to primarily break down each of these functions to smaller ones to make them easier to read and follow. It would be cool to get every single function below 50. But I’m not sure that’s feasible or even really a good idea.

Rockbox displays stuff on Sansa v2

The small team of Rockbox hackers working on the Sandisk Sansa v2 architecture have been doing some great progress recently and I think it’s fair to say that we all enjoy Rafaël Carré’s photo on the left here (showing a Sansa Clip) that shows the state of where things are right now.

There is code running. There’s a start on a LCD driver and there’s a working concept to put our own bootloader code onto the device that can load and start rockbox in a future.

Nice work on this guys!

Rockbox on FLOSS Weekly #43

Randal Schwartz and Leo Laporte interviewed our own Paul “Llorean” Louden about the Rockbox project on FLOSS Weekly and we were a bunch of Rockboxers hanging out on the IRC channel #rockbox while it was streamed live. This will be in the FLOSS Weekly episode #43 that’s supposedly going to become available on friday the 3rd of October.

I think Paul did a great job explaining a lot of things, big and small, around the project and how it works and runs.

Not Based on Linux

Linux Action ShowOk so the guys on the Linux Action Show podcast don’t really get a lot of bonus points from me lately. The episode after they had their “we need to sell proprietary software” outburst, they slammed the Rockbox 3.0 release (roughly 23:40 into the episode for you who want to fast-forward to it).

They started off the news about Rockbox 3.0 claiming it is based on Linux (which it isn’t and never was), only to mention that they failed to install on their ipod 3rd gen at their first attempt (but succeeded at a second attempt), whined somewhat on the installer and then again complained about the inability to install themes even though this is 3.0 yada yada yada.

All in all, pretty much a complete non-understanding for the hard work and endless time that hundreds of people have put into Rockbox. Nothing particular to hear or care about, just a bit annoying.

So THAT is the point of releases!

In the Rockbox project we’ve been using a rather sophisticated build system for many years that provide updated binary packages to the public after every single commit. We also provide daily built zips, manuals, fonts and other extras directly off the subversion server fully automatic every day.

I used to be in the camp that thought that this is a very good system to the extent that it makes ordinary version-numbered releases somewhat unnecessary since everyone can easily get recent downloads whenever they want anyway. We also had a general problem getting a release done.

But as you all know by now, we shipped Rockbox 3.0 the other day. And man did it hit the news!

lifehacker.com, gizmodo.com, engadget.com, slashdot.org, golum.de, boingboing.net, reddit.com and others helped us really put our web server to a crawl. The 4 days following the release, we got roughly 160,000 more visits on our site than usual, 5 times the normal amount (200,000 visits compared to the “normal” 40,000).

Of course, as a pure open source project with no company or money involved anywhere, we don’t exactly need new users but we of course want more developers and hopefully we do reach out to a few new potential contributors when we become known to a larger amount of people.

So I’m now officially convinced: doing this release was a good thing!

They can’t do it so I won’t

I listened to a recent episode of the Linux Action Show podcast the other day (s9e4), and in that episode the hosts Bryan and Chris really lost touch with reality.

First they started ranting about how “the Linux Desktop” needs an eco system for proprietary closed-source applications. They claimed that we cannot make good quality software entirely open source, that open source products and tools won’t be as good as proprietary ones. They apparently decided that the reason there’s a lack of some tools (notable example that these guys like to bring up: video editors) is that the creators of these tools don’t make them proprietary so that they can sell them.

Of course they had nothing to back up their claims but a few random guesses from their behalf.

Then, after that whole weird segment that seemed to be taken out of the blue, Bryan strikes with announcing how he intends to improve the linux desktop environment by start selling two proprietary tools to the world to show that it can be done and yada yada.

I mean, this guy has never done any particular open source or free software contribution of significance. It’s not like he even tried to contribute and make a living off of something related. They decided that others have tried and failed, so he shall not.

The two tools he now sell are two minor tools that will prove nothing about how proprietary programs can or cannot survive on the Linux market. If he fails to sell enough to make a living it just says nobody wanted his niche products well enough (or that he asks too much money for them), and in case he does get money from the products to make a decent living it is not a proof that he couldn’t have made a business case for an open source version.

These are two guys who tend to praise linux and open source and everything in episode after episode. In my view, the open source world has proven over and over again that it is capable of producing and making just about anything to a quality that matches and surpasses those of the proprietary closed-source world. These guys just happen to come to a conclusion that this concept doesn’t work exactly at the same time when one of them decides it’s time to sell proprietary linux software?

I say hypocrites.