If you are interested in security and security metrics, I highly recommend reading Dan Geer’s chart deck on “Measuring Security”. It weighs in at a hefty 426 pages, but it made me laugh out loud in parts and go hmmm. Highlights include p. 108 on “Decision Making” says “*Rational decisions are not enough, *Need to also allow for your preferences”. I really like the model for “Tracking Performance” that he shows for selected security software on pages 154-156, but caution still needs to be applied and meta-information about the numbers is important for full understanding - did the product undergo extensive review one year? are the CVE’s equivalent to each other in severity? etc. Well worth a read and on my list for more more comprehensive study.
[1] Dan Geer, Measuring Security
Gerrit is blogging the Linux Kernel Summit this week and his blog entrys are well worth reading, if just for the use of the word kerfuffle. Seriously, there is good stuff there - Andrew Morton on Linux Kernel Quality is especially interesting to me. I had heard that Andrew was tossing around the idea of requiring test cases for patch submissions. That would greatly increase test code coverage and reduce regressions, but based on the discussion in Gerrit’s blog posting, it looks like it would have been dismissed out of hand for requiring to much additional work, if it had even been brought up at the kernel summit. A related topic was brought up during the Documentation session with a proposal to pull LTP tests into Linus’ git tree.
Off the topic of quality, this cracked me up: “The running joke was that long explanations of x86 functionality requested by the s390 people was usually ended with the comment “oh, I understand now, we have an instruction that does that” ;)”
I love this coverage of the Kernel Summit, along with LWN’s coverage, it is better than actually being there!
