Should Open Source Software Expire?

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

Bad idea

[drodver]

Open Source is about not forcing you to do anything. Besides the code could just be removed. Who is a developer to say how I should administer my box.

Re:Bad idea

[Clay+Mitchell]

great point. if i had moderator points i'd mod this thing to hell and back

Re:Bad idea

[gilder]

I agree that the user/admin should have the freedom to allow it to expire. How about making it a configure option? Say expire on a date I give or a suggest date from the author. Give the program an email address to nag if it expires?

Re:Bad idea

[Morel]

Besides, how many times have we come across 'new and improved' versions of our favorite software that just plain suck?

Careful sysadmins don't just set the Automatic Upgrade swith to "Full Throttle", they evaluate stuff before deploying it.

Morel

Re:Bad idea

[FortKnox]

Open Source is about not forcing you to do anything

EXACTLY.

You're taking the "Free" out of "Free software".

Only evil proprietary companies force you to do stuff, right? ;-)

Re:Bad idea

[Galen+Wolffit]

Oi, I agree, but for different reasons. Yes, the code could be commented out - so what? Any code that secures an existing hole can be commented out, thus re-opening the hole.

I think it's a bad idea to actually _disable_ a running program, because doing so can cause problems that are not necessarily immediately traceable back to the disabled program. Instead, the program should raise some sort of persistent alert, via email, logfiles, or whatever, at some interval, alerting the administrator that there is an out of date program running.

Re:Bad idea

Public domain software doesn't force you to do a damn thing.

The GPL does. It can be argued that it has a noble goal, and the ends justify the means, but that doesn't change the fact that the GPL does put limitations on the source code.

Re:Bad idea

[fuzzydonkey]

Or the clock could just be turned back.

Re:Bad idea

[aardvarkjoe]

Well, he didn't say "Free Software is about not forcing you to do anything", did he? Not all open source software is under the GPL.

Re:Bad idea

[bartjan]

You're taking the "Free" out of "Free software".

No, the user is still free to disable the expiry from the source. The difference is that when a user disables the expiry date from the software, he knows what risk he takes.

Re:Bad idea

[drodver]

A project that provides librarys other Open Source projects can use to enable automatic code updates would be way cool. Then admins could opt-in to have programs auto-update without user intervention. Proper security and checkpointing would be required, though, to prevent an app from breaking without a recourse to return to full functionality.

Re:Bad idea

[FortKnox]

So now you are assuming that all the users of the software can code, understand the source, and modify it?

I thought the idea of open source was to build the source and not care about what the user does with the software, except selling it.
Now, if the user REALLY cared about security, you think she/he'd check for updates from time to time?

Re:Bad idea

[jgerman]

Un implementable idea, it's open fucking source, the whole point, or at least a part of it anyway was to prevent bullshit like this. Not to mention the fact, like you said, that it can just be removed.

Re:Bad idea

[selectspec]

Timebombs are a terrible idea. If I could draw and submit ASCII art of "thumbs down" I would.

Re:Bad idea

[cymen]

Well if you don't know how you have to upgrade. Hrm... I'm not saying that is good or bad but it is funny.

Re:Bad idea

[SparafucileMan]

Correct, like that saying, he who values security over freedom will soon find he has neither.

Re:Bad idea

[ichimunki]

You mean like setting a cron job to run apt-get update or yup or one of the many auto-update features included in the typical Linux distro? The same would work with BSD ports, only it would include a recompile from source.

Re:Bad idea

[linuxChique]

i agree. if there's one thing we've learned from microsoft, it should be that microsoft sucks. but if there's a second thing, it should definitely be that just because one version of a program is newer doesn't mean that it is better, more stable, more secure, etc. forcing admins to run the newest software isn't the best way to ensure the security or stability of a program or server. and on the issue of allowing an install option for the admin to set an expiration date, how will this ensure anything? how can an admin make a wise decision on an expiration date for a program if he doesn't know exactly when a more stable, secure version is going to be available? the developers dont even know that much. things happen... delays cause late releases. are the admins supposed to tough it out if their software expires before the next release?

Re:Bad idea

And I could ask 'Who is an administrator to say how I should write my software?'

I do think it would just be an annoyance, though.
If you're a crappy sysadmin and get cracked because you didn't update your software, then perhaps you should find a new line of work. Time limits aren't going to help except for those who shouldn't be looking after machines in the first place (i.e. those guilty of false laziness.)

Re:Bad idea

How about writing a cron job that deletes all of your software once a year? That's expired. And it gives the ultimate control (and responsibility) to the sysadmin, where it belongs. Software should not set policy. People should.

Re:Bad idea

[Erik+Hollensbe]

I agree. This is what ANNOUNCE lists are for, and bugtraq...

Re:Bad idea

Also, what if it's "business critical" and the software decides 'I won't work anymore'? I'd hate to have my iron lung running open source expireware.

Re:Bad idea

[4of12]

I agree that putting in arbitrary time locks is not a good approach to making open software secure.

Fundamentally, the best approach is to encourage sysadmins and those responsible for hiring sysadmins to take security as a serious matter.

Practically, I'd say a better approach is to have open source security scanning software that sysadmins can use to easily diagnose whether their systems and applications have a potential security problem. The raw ingredients for something like this are already out there, but I'm not sure if they are conveniently packaged.

It's one thing to see CERT and CIAC vulnerability postings and mull over whether some random application might occasionally open up a weird network port and be vulnerable to a BO, but that requires some investment of time.

A service that allows you to download and run a trusted, signed test application for each of the vulnerabilities you see on Bugtraq would be a real time saver for most sysadmins, who have quite a lot to do already.

Re:Bad idea

[ichimunki]

I thought the idea of open source was to build the source and not care about what the user does with the software, except selling it.
,br> Except that even with "business-friendly" sounding open source, selling the software is fine, as long as you provide the source code.

Re:Bad idea

[gotan]

That way i'd have to configure each piece of software, or make it all depend on a special configure file. Anyway i don't find it appropriate to patch each app in such a way. It'd be much easier to regularly run an 'expire' job that simply updates a list of expired software (from the net) and compares it against the versions in the rpm-database.

Then the user/admin can decide what expire should do: maintain a list of expired software (maybe with different warning levels, from "obsoleted by a new version" to "security hole, patch now"), mail him, shutdown the service, update automatically (shiver), whatever. The admin can also decide how often 'expire' should run, or, in case of a static ip, maybe even allow the 'expire-server' to contact his machine.

The method of comparing against a list on the net (or maybe on some update media) is better than expiring after a preset time. And selferasing software is simply nonsense. imagine software development is discontinued, or you just can't reach the net, and thus not update anyway, or an admin is on holidays. He'd probably prefer the firewall up and running, even if outdated, than having no firewall at all.

Also maybe other projects depend on a certain piece of software. Forcing to switch versions at some preset date isn't helpfull at all in that case. There are so many possible reasons why someone might want to hold onto an old app a little longer, maybe even for 20-30 years. This "force to upgrade" practice could come right out of microsofts book of marketing, but it doesn't make sense for open source software.

Maybe he should've written that piece 2 days ago ...

Re:Bad idea

[drodver]

Something like that. It would need to archive the current setup so if the upgrade fails there is a fallback. Also it would have to be limited to minor revisions ie x.y.z to x.y.z+1. It would also impose limits on developers like not being able to change the configuration of the app in a x.y.z+1 release.

Re:Bad idea

GCC 3.0 anyone?

Re:Bad idea

[ebbomega]

If you don't want someone screwing with your code, don't write open source software. That's a real simple solution.

Re:Bad idea

[Anonymous+DWord]

ph33r...

_____
|--` ()_)
| ()__)
| ()___)
|-. ()__)
\ \
|_)

Re:Bad idea

[ncc74656]

Timebombs are a terrible idea. If I could draw and submit ASCII art of "thumbs down" I would.

...something like this?

________
__)
__)
____)
\___)
\\
\_\

:-)

Re:Bad idea

[anthony_dipierro]

Public domain software doesn't force you to do a damn thing.

The GPL does.

The QingPL doesn't. Unless you count forcing you to release derivitive works under the QingPL, but really that's forcing you not to do something (sue people), not forcing you to do something.

Re:Bad idea

[anthony_dipierro]

Un implementable idea, it's open fucking source

I think the point is that if you take the time and have the knowledge to remove the timebomb, you might as well just download the upgrade.

Re:Bad idea

[ArsonSmith]

I have an idea,

lets just keep a repository of updated applications in mirriored trusted locations all over the world.

Then come up with a way of indexing these applications and haveing an interface for updateing these packages.

of course there would have to be a detailed policy and rules on how to build these packages and how to upgrade them and such.

but think about it you could just type something like:

get update

and it would download the latest packages available then type

get upgrade

and you would be able to upgrade to the latest files available so far.

what to call it though. Hmmmm. Its all so simple why hasn't someone come up with this before?

Re:Bad idea

[homer_ca]

Lazy sysadmins who install with all default settings and never update are not likely to dig into the source to disable the expiration. If they're REALLY lazy they might not even try to find unofficial download sites with non-expiring binary packages.

Re:Bad idea

Not hard at all. I see another person already posted the instructions, but I just wanted to reiterate that it is possible. I could do it, you probably can do it too. Especially now that you have a HOW TO.

Re:Bad idea

That's the point though, isn't it?

If you're capable of reading and modifying the source, you are infact, much more likely to keep upto date on security patches and bug fixes, and not need that kind of reminder, thus you can disable it and go on your merry way, no harm, no foul.

If on the other hand, a user doesn't have the technical skills or inclination to modify the source, they are most likely the kind of user that is not going to keep up with security patches or updates, and thus, they are most likely the kind of user that needs to be reminded/forced to upgrade periodically.

Re:Bad idea

[polyphemus-blinder]

I agree. The solution to irresponsible sysadmins who let software get outdated is to fire them. It's as simple as that: people who do not do their job deserve to get fired; and people who can't hire responsible sysadmins deserve to have their systems hacked.

Re:Bad idea

Another Bad Reason for this is licensing terms. Remember when you could only get SSH from SSH, Inc?

From 1.0 to 2.0 they changed the licensing to make it less free ( no commercial use or commercial supporting use).

Re:Bad idea

[Basje]

I think it's a bad idea to actually _disable_ a running program

I know that this is a bad idea. I have a box I administer about 10000 kms away from here (it's in Canada somewhere, I'm in Europe). Disabling ssh would be detrimental. I'd rather have a cracked box with ssh than a secure one without.

Re:Bad idea

I do this very same thing (well, pretty simmilar):
I have a cronned perl script that does the following:
1/ ftp on a series of master sites for updates (mostly red hat update sites for versions from 5.2 to 7.2 I maintain, but ftps for other programs I'm interested to, like nedit) and downloads a list of all packages at disposal.
2/ The script ssh to all maintained boxes and look for the name of each downloaded package (limited as per config file to those reasonable, so a RH6.2 install doesn't look for packages at the RH7.2 update dir); let's say rpm -q openssh (if ssh is in the list of candidates) if not installed, next package, please; if installed, look for version; if installed version is lower than listed as candidate, download the package and make a symlink from a directory called after the monitored box, then follow.

After the run I have a local repo with all candidate packages from the update repositories, and a series of symlinks that tell me exactly what boxes would need to actualize; The script also writes down a report and send it to me by e-mail.

In the morning I just have to look at the report and the symlink tree created and I know what to update. Apart from this, if the package is already downloaded and the symlink for a box created the script doesn't account for it in the report so it doesn't grow with packages I know I don't want to update. As I upgrade a package on one of the boxes I just have to delete de symlink.

more or less like this:

baserepo
|-7.2distro
| |-pkg1
| |-pkg2
|-6.2distro
| |-pkga
| |-pkgb
|-boxA
| |-pkg1->../7.2distro/pkg1
|-boxB
| |-pkgb->../6.2distro/pkgb

It still doesn't run smoothly (it doesn't cache already downloaded lists from the remote sites, but it recreates the listing afresh each time it runs, and from time to time it has problems with some packages versions -specially those with letters is the version like pkg-1.2.3-build20020119.i386.rpm) but it helps me well enough on my day to day admin tasks (just an ls on the baserepo and I can't forget about updating ssh on that silent box in the corner) but even then, it's only a part along with CERT e-lists and critical programs user e-lists.

Why not a "program" to obsolete obsoleted/lazy sysadmins? I bet this would be a better option *by far*.

Re:Bad idea

Debian and APT - Forces of nature.

#apt-get install
#apt-get upgrade
#apt-get dist-upgrade

#apt-get rule-the-world

Re:Bad idea

[naushir]

windows update? :)

Oh yea, THAT'S a great idea...

[xyzzy]

As if being kept on the upgrade treadmill by Microsoft isn't bad enough!

You can't pick an arbitrary point in time when software is "too old", or "known to have security holes!" If you could do the latter, you'd just fix the security holes...!

Re:Oh yea, THAT'S a great idea...

[jezreel]

And think about all the consultant guys that make their customers pay for admins doing the all the update.
So when you're just a beep and a click (like M$) away propably nobody will pay you shit for that

Re:Oh yea, THAT'S a great idea...

[vladkrupin]

/>telnet mybox.com
Trying 192.168.1.1...
Connected to mybox.com.
Escape character is '^]'.

Red Hat Linux release 6.2 (Zoot)
Kernel 2.4.4 on an i686
login:user
password:

Last login: Wed Apr 03 2002 15:32:15 -0800
You have new mail.
Sorry, you copy of Bash has expired.
Connection closed by foreign host.
/>

Re:Oh yea, THAT'S a great idea...

[Frank+T.+Lofaro+Jr.]

Which would be a good thing, since the current version appears to have a grammar flaw. ("you copy") ;)

Re:Oh yea, THAT'S a great idea...

[vladkrupin]

hey, good point :)
too bad i won't be able to login to get download the new version:(

.net?

[nolageek]

This sounds like .NET to me. Upgrade your software or we'll upgrade it for you. What would we call this, upgradeware? Vincent

Stupid idea

[dybdahl]

This is probably the most stupid idea I ever heard of. Think embedded: "I just updated my washing machine to the latest version of bash". Do I have to say more?

Re:Stupid idea

Yes, you should explain why the hell you have bash on your washing machine in the first place.

Erm, no

[adamwright]

I have old internal boxes that are way way out of date, but safely firewalled away doing just what I want them to do. Rebuilding those every few months/years (or having to remove timebombs from software before I install it) == Bad idea.

I agree that software should assist admins in keeping it uptodate, but honestly, legitimate users shouldn't be affected if an admin is incompetant or lazy.

Re:Erm, no

[why-is-it]

I have old internal boxes that are way way out of date, but safely firewalled away doing just what I want them to do.

I don't trust the users on my network any more than I trust the 133t d00dz on the Internet. Will your firewalls protect against your users?

Most security breaches occur from within.

Re:Erm, no

[adamwright]

Well, if one of the "users" really wanted to hack the box, all he has to do is walk up to it and remove the harddrive :) I don't have any external access past the DMZ.

Re:Erm, no

[3Bees]

Along these lines, it might be a good idea if package management systems kept track of such stuff (queried their central databases about known security holes/outdated programs) and notified admins.

At least this would remove any burdensome mandatory nature from the effect while still satisffying the perceived demand.

Re:Erm, no

[why-is-it]

Well, if one of the "users" really wanted to hack the box, all he has to do is walk up to it and remove the harddrive :) I don't have any external access past the DMZ.

Not to deflect the conversation too far away from the original, but that is why good security practices are more than just about code. Where do you keep your servers, and who has physical access to them is an equally valid concern.

Re:Erm, no

[elmegil]

And if the answer to those concerns is "I don't care in this environment" then why should you criticize?

Re:Erm, no

[Zathrus]

Agreed. But take it a step further - exactly how are you supposed to update embedded hardware? Replace all the surface mounted ROMs that the software may be burned into?

Uh....

Re:Erm, no

that is why good security practices are more than just about code.

And, to drift slightly further off topic, this is why people who the community seems to consider 'security experts' (i.e. Theo, and that crypto guy) are not really security experts. They're people who've dabbled in an area that has an impact on security, without seeing the whole picture.

Re:Erm, no

I agree that software should assist admins in keeping it uptodate, but honestly, legitimate users shouldn't be affected if an admin is incompetant or lazy.

Legitimate users ARE affected by lazy and incompetent admins. Their mail gets read, their files gets stolen, and their apache logs gets filled with stuff like [Wed Apr 3 05:43:20 2002] [error] [client 213.80.43.46] File does not exist: /usr/share/httpsd/htdocs/msadc/..%5c../..%5 c../..%5c/..^\../..^\../..^\../winnt/system32/cmd. exe

Re:Erm, no

[swb]

Not to deflect the conversation too far away from the original, but that is why good security practices are more than just about code. Where do you keep your servers, and who has physical access to them is an equally valid concern.

So are things like maintainability, usability and so on.

Security is a kind of risk, and everyone accepts a certain amount of risk. I *could* insure my car to a $50 deductable and let the insurance co. take all the risk beyond that, but that would cost me $500/month. Instead I assume $500 worth of risk and I pay only $100 month.

You're absolutely right that there are other concerns, but in some organizations the costs associated with a specially locked room, time/money/effort maintaining boxes is more cost than percieved risk that some internal user in a 50 person company may decide to try to hack sendmail 8.9.

Re:Erm, no

[nathanm]

I agree, and I think I have a better idea:

If a computer is compromised via a known security exploit a set length of time after a patch is released, the computer's owner forfeits the right to sue for damages.

Re:Erm, no

[Floodimus]

Time Bomb is a very appropriate term, I think. It is hard enough to keep my Microsoft software running. I would gain more ulcers if my open source software just up and quit every once in a while.

Re:Erm, no

[alexburke]

Why not have the software timebombed with a simple-to-use bypass mechanism: one single line in the program's config file...

I_KNOW_THIS_SOFTWARE_IS_OUT_OF_DATE_AND_SHOULD_B E_ UPDATED_ASAP = true

Re:Erm, no

[Delphis]

in some organizations the costs associated with a specially locked room, time/money/effort maintaining boxes is more cost than percieved risk that some internal user in a 50 person company may decide to try to hack sendmail 8.9.

Of course most places that have a locked computer room can administer those boxes via ssh anyway from the comfort of their desk and not the teeth-chattering cold of the computer room in winter. So you can indeed lock a machine away physically and just communicate with it over the network to do everything you need. Remote administration of UNIX machines, firewalls, routers, switches, UPSs is a great thing.

I do heartily disagree about the software expiry thing too. I like to have nice stable systems and know that the versions of the software I'm using are tried and tested. I use Debian. apt-get update ; apt-get upgrade for security updates is great and beyond that I don't need any help keeping software up to date, even software I compile myself (e.g. Apache, mod_ssl, PHP, MySQL etc.). That's what announcement mailing lists are for if you don't want to keep checking the websites yourself! :)

PS: Noone in their right mind should be running sendmail anyway :> .. QMail rules!

Re:Erm, no

[leuk_he]

if package management systems

Up that one. There is where this functionality belongs.

One program to rule them all,
One program to find security bugs,
One program to download them and in the darkness install them.

Or not

[klosskorban]

Why not just have it a feature of your package management system? IE. the not yet finnished, PKGtool 2.0 system

Re:Or not

[KeyserDK]

Yeah this shouldnt be implemented in the software itself but the "software that provides it.

Still not a perfect solution though.

Re:Or not

I lik ethe idea of putting this in the package manager... apt-get eleventyfrobozzhappydance.deb --enable-expiration-notify. (or rpm -i happy.rpm -timelimit) If there is no suggested time limit in the package, nothing happens. If the package has a suggested obsolete date, then root will get an email when the package expires, or something. Actually, can't apt-get automatically update all your packages, and check to see what's out of date whenever you want?

Re:Or not

[fymidos]

Excellent idea.. something like the norton thing ( there are updates available do you want to download them?).
Yes, updates may break things, but if you know what you are doing you don't need this system anyway. Users will surely appreciate it, especially if they are not bothered with details and everything can be done in the backround.

Freshness!

[micantos]

What are you talking about? OSS has a longer shelf life than Twinkies. :)

Re:Freshness!

[Yogger]

Twinkies are only at the peak freshness for about a week, at least thats what the guy on "Unwrapped" said.

Unwrapped being a TV show on the food network

I think....

[Bob+McCown]

I think that the premise that all computers are exploitable is a wrong one to persue. Granted, any idiot that leaves an exploitable machine running on the net gets what he deserves, yet in this age of DDOS viruses/trojans, the damage goes far beyond a single machine. BUT, I dont think FORCING an upgrade is the way to go. If I have a machine on an internal network merrily pluggin away for years, why break it if its working?

Re:I think....

[Trepalium]

Good point. I think a better idea would be a timebomb in the software that doesn't disable the program, but rather just starts spitting out warnings once you reach a certain age. I think six months to a year should be acceptable for most software. This, of course, doesn't apply to all software. I seriously doubt there'll be an exploitable security vulnerability in GNU echo any time in the near future, or any other mundane utility program. Most network daemons could likely benefit from warning the user about running outdated programs.

Re:I think....

"a better idea would be a timebomb in the software that doesn't disable the program, but rather just starts spitting out warnings once you reach a certain age"

- So now the "it has run perfect for ages" box that is maybe not even connected to the network now suddenly dies becourse the disk gets filled up with log entries from a (IMHO) buggy program - I don't like it!

Huh?

[chinton]

This sounds like something that Microsoft would do (or already does).

I would think that it should be optional

[EFGearman]

After all, that is part (a large part) of what Open Source is about. Options.

Now, as a programmer, I may not want to add changes to an older version that I am not working on anymore, so I am within my rights to say, "If you want that additional functionality, you have two choices. Upgrade, or do it yourself."

Again, options.

EFGearman
--

I second the bad idea

[Mistah+Blue]

I'm not a lawyer, but I think you would be opening yourself up to some liability with expiring code. Picture some critical function no longer functioning due to code expiration.

I also don't need someone "telling" me how to administer my machines.

Re:I second the bad idea

[phyxeld]

I also don't need someone "telling" me how to administer my machines.

Exactly. What if the new version of the software has changes I don't like, and there turns out to be no problem with the old version? It's quite common for people to make the informed descision of sticking with an older version of a particular piece of software, and it's arrogant to try and restrict that. The open-source factor obviously makes it a bit less of a problem, but it's still a bad idea. Users shouldn't have to strip timebombs out of the source to keep from upgrading.

Re:I second the bad idea

I think us geeks usually keep up to date with whatever is happening with our favourite security patches... I don't need anybody telling me what to do...

Re:I second the bad idea

What if your software expires and no one is around to maintain the code ? How do you get the darn thing to work again ? There shpuld be a way to override that.

I can see the software putting reminder message at splash screen/start up text or email sysadmin (once) though.

Re:I second the bad idea

Who are going to sue?

Expiration.

[saintlupus]

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."

Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.

The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?

--saint

Re:Expiration.

[MissMyNewton]

The computer is mine. The software is mine. And, should there be an issue, the blame is mine.

*BUT*, think CodeRed/Nimda-like - your problem could also become mine and I sure as hell don't want that!

Re:Expiration.

[saintlupus]

*BUT*, think CodeRed/Nimda-like - your problem could also become mine and I sure as hell don't want that!

True enough -- hell, I'm _still_ getting Nimda hits on my webserver, and it's been how many months?

Unfortunately, the way to get rid of problems like this is _not_ to assume that every computer user is, er, security-retarded. I'm more than capable of securing my own systems, thanks, and I don't need any wanna-be dogooders trying to do it for me.

--saint

Re:Expiration.

[Alan+Shutko]

We have an employee flying to Tallahassee as I write this because a version of RH6.0 had an old version of ssh on it, which was perfectly safe because it was behind a firewall. Until, of course, the firewall is changed to allow ssh... and someone needs to relay the OS because the machine was hacked.

Seriously, how much space did using a version of ssh with security holes save you? Was it significant, or are you rationalizing your negligence?

Re:Expiration.

[OzTech]

I full agree. One of the things that annoys me the most about product activation as is now being used by Microsoft, is what happens when they decide that the product is no longer supported. You have paid good money for a license to use the software ( Win-XP, Office-XP et-al ), but at asome point in the future, Microsoft can very easily not activate it. Your reasons for needing a new activation code, could be as simple as a total machine rebuild. However, there is a very good chance that because the product is "no longer supported", they won't or perhaps even can't reactivate it. I wonder if they'll give you a refund :)

Re:Expiration.

[jgerman]

Yes and when I'm on my bike you four-wheelers endanger my life on a regular basis, but I have no right to keep you off the road. It comes down to a question of ethics, you have no right to tell me what software to run, that's what we're fighting against with OSS, just as I can't tell you what to drive. That's not to say that you don't have a grievance if someone's negligence causes you trouble, but only after the incident occurs not before.

I said it earlier, it's un-implementable. If someone pulled this crap with their software, I or someone like me, would fix it and redistibute it with this crap coded out.

Re:Expiration.

[BeBoxer]

or are you rationalizing your negligence?

Might I ask who made the decision at your company to open up the firewall to ssh? Did it occur to them to actually try and check the computers that were being made available to it? SSH is probably the easiest deamon in the world to verify. Just telnet to the ssh port on a computer and it tells you the version! It's trivial to automate the process. So I'm not so sure I would be so quick to accuse others of negligence if you just poked a hole in your firewall without bothering to check and see what you were exposing.

Re:Expiration.

[pastie]

Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space.

I can understand running older versions of most software, but ssh? Especially considering the recent security announcement about older versions...

No, it should not.

[Dead+Penis+Bird]

Sometimes an "update" isn't always good. For example, I have heard a lot of good feedback on Mozilla 0.9.8, but only tepid for 0.9.9.

Another example was the Napster beta software. A lot of people who upgraded to later betas (7 and later) often switched back to 5.

Most often, updates are good. But don't force it on users who might not want them. After all, isn't Open Source about freedom, anyway?

Re:No, it should not.

Well, 0.99 hasn't tanked my machine yet, while I was getting used to hearing 0.98 thrash and watching X vaporize as the system ran out of memory *and* swap. (Admittedly, I'm using a Mozilla-obsolete system, with 'only' 128MB RAM and 128MB swap, FreeBSD 4.5-RELEASE.)

Wouldn't it make more sense...

[Markusis]

Wouldn't it make more sense to include something that checked the web for available updates and presented them to a sysadmin as an option or a recommended upgrade. It's silly to have something "expire" when it can just be patched or upgraded.

Re:Wouldn't it make more sense...

You mean the way Red Carpet does?

Re:Wouldn't it make more sense...

[ronfar]

Mandrake does this. Anytime I log into my Mandrake box as root, it says "You do not seem to have configured a source for security updates, would you like to do this now?"

Nag, nag, nag...

Re:Wouldn't it make more sense...

[tupurz]

This seems to be a better idea...what would happen if the sysadmin "expires" prior to the software? Company shuts down? These things must be able to carry on without us...

Re:Wouldn't it make more sense...

You are assuming that everyone has internet access - don't!

Re:Wouldn't it make more sense...

[singularity]

Of course, then you have the entire Slashdot community up in arms about spy-ware.

You would be able to see the source, but it will still be transmitting your IP number and the software version number.

Another big problem, though, would be computers that are firewalled off from the Internet as a whole.
The biggest problem, though, would be the server that would keep track of that information. Suppose the software is no longer supported or written. Then you have to either remove the code and recompile or you would have to wait for the software to time out each time.

Not a good solution. I think the best thing would be a warning at start-up on occasion that automatically says "OK" after a ten seconds or so(so that headless servers would be able to startt the software up without keyboard there to hit OK). Or at least allow people to start from a command line with a "no reminder" set.

Re:Wouldn't it make more sense...

No, he means the way Red Carpet does.

Re:Wouldn't it make more sense...

alright there AC...if you don't have internet access..then, you have a lot less security issues anyway. Besides, say the software expires...how are you going to get a newer version?

Re:Wouldn't it make more sense...

[cascadefx]

SuSE's Linux Distribution for 7.2 is almost exactly like this. From the Administration modules, you just choose to check for updates and it surfs their FTP site for available patches. Those patches are categorized based on security and functionality and list whether they are recommended or not. If you have software installed on your system that has a critical security patch available, the software is checked for download by default (though, you can uncheck if necessary). Once you have added or subtracted patches and move on, the software is downloaded and installed. Reboots are warned about if necessary.

This also works with update CDs, I think. Never tried it myself, but it could concievably work.

I don't run a production box, so I pretty much blindly upgrade stuff. If it breaks (none yet), I can always back out pretty easily. The utility also gives the security bulletin from SuSE or detailed descriptions of the packages if you want to look at them before deciding to install. Those that look risky... I generally avoid.

This is one of the best patch utils that I have found because of the advice component. It is similar to M$'s offering, but I think a little better (you don't have to reboot at the very least). I haven't tried Ximian's offerings, but my guess is that they are similar.

update notification

[no_opinion]

How about having someone write an open source update notification library instead?

Re:update notification

YAAYYYY! Finally someone with a sane proposal. A cute little script.

"your software is over n months old, would you like me to check for updates or patches?"

Giving the user both notification and choice. I like it. Perhaps I should look at doing something like that.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Guaranteed failure vs. ...

[Bigger+R]

...the chance that I choose or forget to upgrade?!

I think I'll take door #2, Bob.

maybe if..

it might work for beta and test versions that aren't designed to be used in place of the final version.

heh

[Ooblek]

like a Blade Runner replicant when it reaches a certain age, forcing an update

Uh, they DIED when they expired. Probably not a good thing to let your web server die over a long holiday weekend.

(Insert "Tears in the Rain" speech here.)

Re:heh

[Night+Goat]

Uh, they DIED when they expired. Probably not a good thing to let your web server die over a long holiday weekend.

Not only did they die, they got all violent once their expiration date was getting close. Imagine if your web servers decided to all mirror Rotten.com or maybe the insidious goatse.cx? I guess we'd need to take one of those bad ass three-barreled pistols to the computers. :D

Re:heh

well, slashdot does it, why shouldn't we all?

Re:heh

[YouAreFatMan]

Maybe he meant Logan's Run, where you were hunted down at the age of 30.

Re:heh

[e-Motion]

Uh, they DIED when they expired. Probably not a good thing to let your web server die over a long holiday weekend.

Interesting analogy, eh?

Slashdotter A: Apparently there's this idea that software should expire, kinda like coupons.
Slashdotter B: Huh?
Slashdotter A: You know, like a driver's license. You have to get a new one after a certain amount of time.
Slashdotter B: ...
Slashdotter A: Hmmm... like Bladerunner's replicants?
Slashdotter B: Oooohhhh...

Re:heh

$> Shutdown now
System is going down NOW!!
I've seen things you people wouldn't believe.

Microsoft ships on fire off the shoulder of Seattle.

I watched C-programmers glitter in the dark near the Tannenbaum gate.

All those moments will be lost in time, like tears in rain. Time to die.

Actually, I perfer the 2001 sequence. :-)

What makes you feel so sure what follows is better

[snStarter]

Just because there's a newer version doesn't mean it's better for an individual's purpose than what is currently being run. It could even break a mission-critical application.

Just what we need -- another group of folks making decisions they have no reason, right or responsibility to make.

Write software, let the users who deploy it take the responsibility for making changes. Or is individual choice and responsibility no longer important?

No

[m4g02]

Sysadmins should be available to do whatever they want, i dont like the idea of forcing updates because a security hole in a service you may never use. But a reminder could be ok.

Latest greatest?

[1984]

Who audits the new version? This is only well motivated if you're sure the new version is *always* a "better" version than the old.

Now what the hell does that mean in the general case?

And what about...

Those of us still running v2.2.9999 that dates back to 1996 instead of 5.5 because its faster, more stable, and does what we need it to? I don't want to be forced to upgrade, if I did, I'd buy windows.

LOL

That's one of the dumbest ideas I've heard of in a long time.

Re:LOL

[korgull]

Yep, I guess the guy was 2 days late sending this one in.

No way

[bsdparasite]

Why should I keep installing new software on my machine? Why should it not work the way it did before? This is a Microsoft based model for people who are obsessive with updating their software. I would love to use the same program that I used 3 years ago, but with a better OS base with more support for new devices. I don't care for bloated features. Just something that makes my day.

One ring to rule them all..the O in OpenBSD

Acceptance

[bemis]

There are several issues involved here that could be (and will be, I'm sure) argued ... but my only question is this: is the Open Source community secure enough in it's place in the market already to start forcing things like this onto it's users? This is one of those topics that does have merit, but I am of the opinion that any SysAdmin who chooses to go with an Open Source (read: "free") solution will not want the additional hassle of constantly updating it and tinkering ...

Isn't this one of the selling points of things like Linux/BSD that (under correct/secure curcumstances) they *can* run indefinately without maintenance?

Am I missing something?

bemis

-{insert lost .sig here}-

I have an idea...

[fiber_halo]

I have an idea. How about simply hiring compentent sysadmins?

Re:I have an idea...

Here's a better one!

Why don't developers write good secure code to begin with?
Behind every incompetent sysadmin who made the choice to run shitty code, there is an equally inept and irresponsible developer who released that code in the first place.

Sysadmins are only as reliable as the code the choose to run. Sysadmins are accountable for that.
From time to time, Sysadmins need to upgrade code because of security flaws or other performance issues. This should be an occasional thing, not a 4 month occurance.

If your code is that bad that it needs to self destruct to force people to upgrade, then you're just a delinquent. You have no business releasing your code in the first place.

Developers:
Stop punishing sysadmins for your mistakes. WRITE SECURE CODE OR GET OUT OF THE SOFTWARE
BUSINESS

In Open Source?

[WinPimp2K]

Umm, but doesn't everyone who uses such beasties recompile the executables from the source? If so, the first thing they are likely to do is disable the test for the expiration date. It will undoubtably be the first thing they do after being "stung" by a mission critical program that expires on them.

Of course, if a Closed Source package tried this stunt, everyone and their kid brother would join the lynch mob.

Absolutely

[geordie]

I've often thought that expiry times in software would be a good thing. Not nessesarily in Paid for software, but in free software where free updates are readily available. Would be great for the web.... imagine knowing that you will never have a Netscape 3.x or IE 3.x visitor to your site again... or knowing that on such and such a date you wont have to support Netscape 4

The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

Re:Absolutely

[tswinzig]

The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

What then is that you realize what a horrible fucking idea this is in the first place.

Re:Absolutely

[NoMoreNicksLeft]

Would be great if I owned more stock in hardware companies. Imagine knowing that after a certain date, those cheapskates with 486's would be forced to upgrade to something new and expensive if they wanted to browse with the latest 60meg bloatware browser.

Hopefully, there is still time for me to cash in on this, before Intel is at $700 per share!

Re:Absolutely

[Reziac]

Yup, your site tells me I can't use my *preferred* (older) browser -- and then I never visit your site again.

Yep, your site tells someone who can only afford an old P60 that they have to run a browser that requires a PII-600 with 512mb RAM -- and they never visit your site again.

Yes indeed, that's really fixing the "problem".

Notification vs. expiration

[TheFlyingGoat]

I don't think the software should automatically update itself or expire, but rather have some way of communicating with the sysadmin. For example, if you use the CPAN module for perl in shell mode, it'll tell you if there's a new version of itself available, and how to update. Most importantly, it does so unobtrusively (as opposed to some programs that get annoying about it).

Re:Notification vs. expiration

[jeremyhu]

or just use syslog to catch a "securitywarning" type of message for logging... That way people that care about this can actually log it and update their software, and people that don't can just disable that warning level.

Re:Notification vs. expiration

[flynt]

This is a REALLY good idea! Think if there was some central repository for security updates and stuff that shipped with the OS! You could just click a link on your desktop and it would show you everything that needed to be updated or that had security holes. Then you could easily check what you wanted to patch, and it would do it for you! The only thing left is a name for this great idea, how about "Windows Update"??

Re:Notification vs. expiration

[cdipierr]

The problem is that then you have to allow any arbitrary application on your system to talk to any arbitrary server (to verify the version vs. the latest). If you do so, then you have to watch that traffic to make sure things aren't getting sent up to the central server you don't want to be sent up.

Now with open source stuff this isn't as big an issue as with closed source, but you still have the potential for someone to abuse the system.

Say you have utility X v1 that does a function. One day it tells you there's a new version (v2) that's much better, so you let it upgrade w/o thinking. v2 gets installed and then the next time it runs it sends up arbitrary data from your system. It doesn't help you if a peer review a day later tells you not to upgrade, it's already too late for you. So that means you now have to closely check all the source of any app you install and you can never let it say "Yes, always update" w/o thinking about it.

Too much potential for abuse.

Re:Notification vs. expiration

How about Redhat up2date?

Re:Notification vs. expiration

[Erik+Hollensbe]

debian users already have this:

deb http://security.debian.org stable/updates main contrib non-free

add this line to /etc/apt/sources.list, and you'll get security updates for your programs as soon as they're released.

:)

Re:Notification vs. expiration

[Lumpy]

sorry but this can cause all kinds of hell for people.. CPAN perl module like to force perl 6.1 down your throat EVEN IF YOU HAVE IT INSTALLED but not in the correct location (redhat, we put your apps where they dont belong) so the cpan module doesnt detect perl 6.1 downloads nad installs it, and completely hoses your modperl install under redhat 7.2... Thanks redhat, thanks cpan... if I want it I will download it otherwise keep the damned updates off my computer.

This rant brought to you by many endless nights fighting with people's assumptions...

Re:Notification vs. expiration

[krogoth]

Yes, that's a brilliant idea you have there. You're not the first. Developpers generally call it "the announce mailing list".

Re:Notification vs. expiration

[Saeger]

Well, if you think that the potential for update abuse is too great, and there's enough people who likewise are stuck on the trust issue, wouldn't you expect to see some kind of peer-review voluntarily inserted between the vendor and the masses in the update process?

i.e. instead of having one authoritative source distribute a patch to everyone alike at the same time, the vendor arranges to send the update to a smaller pool of clueful and more trustworthy beta testers; if a simple majority vote to approve of the update--say after a few hours--then the greenlight is given for everyone else to update.

It's easier to put your trust in a peer-review proxy than in various vendor sources. ...of course, implimenting such a thing is beyond me, and who gets to choose who's cluefull?

--

and then do what ...

when it expires? pay someone to generate a new code to extend it's functionality?

sorry, but some companies purposely continue to use old software. shit, we have a lot of solaris 2.5.1 boxen around here ... guess what, tons of exploits, but the boxes haven't been 0wn3d yet.

besides ... i thought expiring software was called trialware ... i don't intend to 'trial' software on a production machine, only to have it stop functioning christmas day

As long as you can change the source...

[Eugene+O'Neil]

I have no problem with it. Anyone who has the brains to hunt through the source and remove the time limit should also be smart enough to understand the consequences of such an action. People who are not smart enough to do it themselves (or hire someone who is) should be grateful for whatever they get. If they whine about it, you can always offer to refund the purchase price.

Re:As long as you can change the source...

[nelsonal]

This seems like a logistical nightmare to me. Think of all the programs that you use that have the potential to expire. This is just a guess but I would guess that the average linux distro uses something in the neighborhood of 1000 programs. Imagine trying to find and edit each program's kill setting. Even if only 10% of these developers impliment the idea, you still have to find the 100 programs that have this feature and not knowing which means checking all of them or looking through the documentation. Especially if each time you updated the software you had to edit this out, it would become very unmanagable.

Make it an option

[stuphi]

I would hate this to be forced. Some boxes just sit in the corner doing their job. It would be a crime if these just fell over because of a time bomb in the code.

Maybe just create incompatible libraries?

How about an automatic expirer that will work for all software on the system: Maybe we should, from time to time, make incompatible changes to shared libraries, so that old programs will not run any more. Thus, not every programmer will need to put a timebomb in, but instead timebombs will be automatic?

Re:What makes you feel so sure what follows is bet

[m4g02]

I agree, developers must trust other admins and no trying to do their work or think instead of them.

"It just suddenly stopped working."

[Christopher+Thomas]

This would be a Bad Idea in embedded devices, because they may very well be designed not to be upgraded.

This would also be a Bad Idea in any installation where the person maintaining a machine may change (which covers just about everywhere). It's hard enough keeping track of everything on your own machine - what about a machine you inherit from a previous administrator?

The machine suddenly stops doing something vital when the software expires, and you have to track down what and where it was.

Better just to write "review the installed version of Widget X" in your day planner at regular intervals.

Re:"It just suddenly stopped working."

Sure hates that when a life support system component insists on installing the latest Direct X 10.0 and needs a reboot in the process.

What a bizarre concept

With the greatest of respect, this can only apply to people who woould NEVER view the source code, once you've seen it the appropriate routines can be deleted (or at least made no-ops).

Uptime dick measuring contests

[DickBreath]

Well, there goes my uptime. Reboot and upgrade required, your kernel is about to expire. The server is going down now.

Re:Uptime dick measuring contests

That message might be seen all over the internet if someone hacks the servers ( Naval Observatory for instance ) that are used for auto time correction. Slashdotters, hold up your hard copy of your LINUX distro and your backups if you are running a daemon for this.

Doesn't Microsoft do this already?

[HiyaPower]

Last time I looked, they wanted you to take a run on the treadmill verey year or so.

Why, why, why would you do this. If a piece of software is being distributed with no support, there is no reason for anyone to want to replace a working piece of software that does the job that it is meant to do with another one that might or might not work. For companies who support software, it is reasonable to say "Hey, get on the latest release. We may have fixed that problem a long time ago." but for non-supported open source, you gotta be smoking the Willy Weed to think scheme up.

Sure....

[stripes]

Open source being what it is, nothing can stop dedicated users from removing the expiration code from their packages. In the case of stalled development, this may even be necessary, and it can serve as a safety valve to help offset the dangers of software expiration. This makes it fundamentally different than licensing schemes that permit automated remote disabling of software packages.

Sure, until the first time your gcc expires then you are dead... (or gcc is working but ftp, httpget, and curl are not...)

Or the first time you unearth some old hardware and want to bring it back to life. Sure you could reinstall from scratch, but that lengthens the time it takes to find out if the hardware really still works, and what is on it!

Re:Sure....

[jgerman]

Are you so deluded to think that you can't write your own compiler, or here's a novel idea, gcc is the first thing you recompile without that option.

Re:Sure....

[stripes]

Are you so deluded to think that you can't write your own compiler,

Oh, I already have, but it only did VAX and SPARC output (both badly).

Dumb.

[dasmegabyte]

What a dumb thing to say -- any requirement you make for Open Source will be totally ignored by a good segment of the population no matter how good an idea it is. You can't make demands of a free community simply because much of the population are idiots. It's those idiots losing their jobs when the servers become infested with hackers that is going to teach them to update their software. Putting in artificial expiry dates only leaves another worthless feature to debug.

Expiry is for shareware...open source's trademark is its install once, run forever (for most applications) reputation. And for machines properly behind firewalls, this reputation is justified, even with the holes. Who is going to be rooting the print server at our church with no internet access.

Umm...

[Alcemenes]

That's mighty Microsoft of ya. Translation: I think it's a bad idea.

Xfree86 Beta's (almost) do this

[mendepie]

When you run a XFree86 alpha or beta server, it prints a warning when starting up that it is most likely out of date.

It would be nice to have a way to know when software needs to be updated and get it done, but it has to be under the control of the administrator.

I think apt-get up one of the rpm auto-updaters is a better approch. What is needed, is a script that you run (nightly from crontab) that checks installed versions vs. current versions vs. suggested-for-security-reasons versions and produces a report/email suggesting updates happen.

blade runner software?

it is a strange thing to meet your compiler

Great...

[2Bits]

Everyone in the OSS community has been bashing (well, most people anyways) MS's forced upgrade treadmill, and now, we want to adopt that? How hypocrit can we be?

I have the source code, leave me alone, even if I want to leave with all the security holes I want. That's my choice. That's all about being free.

Now, if I'm forced to upgrade, and there's still security holes and my system gets cracked, if I can sue you for loss and damages, then we can talk about forced upgrade. This should apply to all commercial softwares.

Otherwise, just leave me alone. One MS model is bad enough. We don't need more.

Freedom..

[defmonk]

Isn't open source about freedom to do what you wish with software/computers? Good or bad, this would go against that.

-JAB

Auto-updating perhaps, expiring, no.

[redfenix]

For client apps and peer-to-peer apps or any client which runs on the 'net, an auto-update would be nice.

Perhaps automatically updating a dynamic library (of some sort) and re-loading it without requiring the user to restart the app would be a Good Thing (tm).

However, most sysadmins like to have control over their boxen and not have their webservers go down just because they "expire." (or even auto-update in this instance).

A modest proposal...

[realgone]

Better yet, I suggst we rig it so the sysadmins "expire" when they reach a certain age. Forcing an update, of course.

Hey... how else are the young techies of the world supposed to get the plum jobs and read /. all day? =)

A better idea....

[Picass0]

How about instead putting a little bug in the code that contacts the author every time the software is run? It could also send some basic marketing information as well, such as the names of every DVD watched, or MP3 played, or every website visited.

What a great feature!

Re:A better idea....

[BetaRelease]

A better idea is to "expire" people with lame ideas like this!

Shades of MS Activation!

Re:A better idea....

And.. hey, since apache.org has no stock, how about they sell out to M$ while they are at it. The "new" MicroSloth Apache server.. to replace IIS... Enter your Key Code:

IWANT-2KILL-ANY1-WHODO-ESTHI-S2GPL-SW!!!

Seriously, so I just keep my source to the
the latest Apache (w/o "expiration" code) and
fork my own version w/o it. The beauty of "free" software :-)

AutoRPM

doesn't AutoRPM already check for out of date packages (atleast RPMs)? Of course you configure it to auto update or let you install packages at your leisure.

I think keeping software up to date is a good idea, but developers need to keep in mind that when they update, they need to take into account whatever custom settings the user may already have with the software. I've lost WAY to many config files or had the software mess up my configs with whatever settings they thought should be defaulted.

Gnumeric

[OpCode42]

Gnumeric had something like this.

I was running an old version, the one that comes with a default slackware 8.0 install.

On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."

No hassle, just a one-off friendly reminder.

Good idea, I thought.

Re:Gnumeric

At least it let you run the software. How about this: Class presentation day. You launch Realplayer on your laptop to show some video. "Your version of RealPlayer has expired, please download a new version". Goddammit, I'm in front of 30 people, my laptop is NOT on the network, and my 10 minutes timeslot is expiring. I don't have TIME to download and install a fuckinlblarhfap arg!! NEVER REALPLAYER AGAIN.

Re:Gnumeric

You do know that you can change the date on your computer, right?

Re:Gnumeric

Agreed, though it would be nice if the message also had a checkbox "don't show again". I use it at work (where I don't have control of the system to upgrade it myself), but since it's not officially supported, the admin folk are too busy to upgrade it, and I'm not bothered by the older version (0.67)

Re:Gnumeric

Any days or week are irrelevant to how old software. The fact of new version availability is the only what should be counted.

I imagine the situation when the corporate server failed (expired) but at that time there is no available patch - the developers, who calculated expiration, were thinking they would have new update and then they ... died, fired, hired, graduated, arrested, deported, whatever.

Another observation: whenever some software is expired and stopped its work - it's the greatest frustration experience.

Don't repeat stupidy of commercial vendors. Don't make it expired!

Re:Gnumeric

[(startx)]

and a clear headed individual would have just set the system time back a few months to get around that. But.... I probably wouldn't have been thinking clearly in that situation either.

Locksmiths will try to sell you the biggest safe

[Pussy+Is+Money]

This is typically the kind of braindead attitude that gives security such a bad rep with management. Just like everything else, security has to undergo cost-benefit analysis. If the cost doesn't justify the benefits, then you shouldn't do it, no matter how good it feels. If your website doesn't store sensitive information and gets defaced once every two years and it costs 2 hours to restore, then it just doesn't pay to bother with 30 character randomized passwords and training plus background checks on all staff.

One of the great benefits of open source software is that you can install it, then barring any critical bugs or flaws, you can forget about it. You don't have to buy new licenses each year and you don't have to upgrade your software just because your vendor needs to kill a competitor with software upgrades that break stuff. Having software expire gives you all of these problems without any of the benefits. And who says that the new version will suit your needs any better?

I disagree

[flynt]

You can't pick an arbitrary point in time when software is ... "known to have security holes!"

Sure I can. How about "right now."

Re:I disagree

[xyzzy]

So based on that concept, the software should simply refuse to run from the get-go!!! :-)

Re:I disagree

[Pedersen]

Wait, I thought this was about not running Microsoft software?

Re:I disagree

[SlaterSan]

Well that sounds like me trying to get debian to install...

Re:I disagree

I remember the first time I got trapped in dselect swamp. I had decided to give Debian a try.

It dragged me into a pit of inner dependencies and dreck. It was almost as bad as doing a 'choose every package' with Slackware.

I said fuck it, and went back to using Slack.

Re:I disagree

Eeek. try again, and this time eschew dselect for the task packages.

If you find later you need something not in the tasks, "apt-cache search" and "apt-get install" will do you right. This even works if you're not connected, because apt will build a list of all packages (not just ones you installed) from the install CDs. Of course, that's assuming you keep the install CDs with you...

With any debian from the past 3 years or so, there is absolutely no reason to subject yourself to the horrors of dselect.

What if?

[aneurysm36]

What if there isnt a newer version?
What if the newer version isnt free?

Expire

[surfcow]

... that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

I see. Does the program then track doen its creator and kill him?

"I want more life, fscker." =brian

Not expiration, deployment management!

[edashofy]

The problem here isn't that we should explore how to make software expire to force system administrators to do something, but to create *better deployment technologies* for our software. Microsoft has a pretty good edge on deployment, informing users when there's an upgrade available and allowing them to upgrade.

Even if you don't like how Microsoft does its deployment, certainly some sort of standard, well-managed deployment system for OSS could be developed.

Just Warnings / Updaters

[tweakt]

Mozilla currently will warn you when a build is older than two weeks. It continues to function however. The reason for this, is so that bug reports are relevant to the current codebase, and new bugs are found quicker, and less duplicates are reported.

Personally I don't feel the software should expire or stop working in any way. But a better approach is software that can check for newer releases of itself, and possibly auto-update itself.

A good example of this is Gnucleus's evolve capability. If a security problem is found, most all the users would know about it the next time the program checked for an update, and it would get fixed easily within a day or two.

What about X windows

[slycer]

It already kind of does this. At least it has a nag screen on startup (or in the log files). Mine reads like this:

XFree86 Version 4.2.0 / X Window System
(protocol Version 11, revision 0, vendor release 6600)
Release Date: 18 January 2002
If the server is older than 6-12 months, or if your card is
newer than the above date, look for a newer version before
reporting problems. (See http://www.XFree86.Org/)

It at least tells you the *date* that it was written and warns you about when it will probably be outdated.
That's about the extent of warnings that I like in most software.

CBDTPA / SSSCA

[MConlon]

Assume a worst-case scenario: would you want the software (some of it critical) on your machine to expire if we end up living in a law-induced dark age?

Personally, I want my 60MHz Pentium server to run for as long as *I* want it to... not as long as some third party (whether that be a hardware developer, a software developer, or the government) wants it to run.

Of course the nice thing about OSS is that you'd be able to remove the code that expired it.

MJC.

No, it shouldn't.

[Drakin]

There's some cases where there's no need for the program to be updated, no matter what securiy risk it might pose.

If it's sitting in a lan that has no acess to the internet, or if it's being used in a case where space is limited... there's probably other reasons that software shouldn't expire.

How would you like if your computer decided that it wasn't going to run a critical (to you) program and you have to stat reinstalling it while a deadline creeps closer.

Maybe a reminder service would be the best way, after so many days/months/years it makes a reminder to check for updates. That, or educate people that upgrades for securty are a good thing in some cases.

Software expiry date?

[decipher_saint]

Software expiry date? Like that can of cream in the company fridge?

*sniff* *sniff* "Is that the PDC?"

Win95

[sharkey]

Sounds like a Microsoftie thing to do. Remember Win95? If you left it running for 49 days, IIRC, it would crash.

Why it's not that silly an idea.

[west]

Given that an exploitable system is not just a danger to oneself, but also a danger to others, it's quite possible to justify expiring software the same way that one justifies enforced adherence to safety measures. Its quite common to force companies to upgrade equipment to current safety standards. This is merely a mechanism to protect the community.

While it doesn't necessarily justify forcing users to upgrade, this debate is not an entirely one-sided.

Re:Why it's not that silly an idea.

[jgerman]

Yes this discussion is entirely one-sided. Your completely fucking off base. Though I shouldn't be suprised, people always come along that think they know better than everyone else and have the right to tell them what to do. This is taking an movement that started so anyone can use software anyway they see fit, and trying to pervert it to fulfill someone's holier than thou attitude. It's just fucking wrong, not to mention impossible. Let me clue you in, the code is GPL, I have the source, or can force you to make it available to me. Want to talk about code forking? I'll start taking every piece of crippled software, removing this crap and re-distributing it. You want something like this, go create your own license, I promise you you'll fail.

Defeat

Defeats the purpose doesn't it?

AC because it will not let me log on!

Think of the carnage!

[Infonaut]

Egads... Apache 1.3 is about to expire, so it hooks up with The Gimp and wreaks havoc, running through the filesystem looking for the kernel, so it can extract revenge, or at least look for a way to avoid death.

One Rutger Hauer is enough, thank you!

instead of writing secure software?

[mrroot]

So instead of writing secure software in the first place, now we will just give up and say, ok we know this software isn't going to be good enough to last very long, so we're going to timebomb it for you. How nice.

Not

[georgn]

So you're doing an embedded linux to control a microwave oven (a really fancy oven). No network connection, etc. You think the software should expire? Not.

And then there is software that could be considered free of bugs if people stopped updating it. Consider cat and ls which are both a lot bigger and buggier than they were in their youth. For this class of software, the expiry-update process becomes a NOOP (creating a potentially worse problem of man-in-the-middle attacks causing believed stable software to be updated with trojans and the like).

No, expiry alone doesn't solve the problem of mass cluelessness.

red-carpet

[jojor]

this is like ximian's redcarpet: although its nice and handy it kills you when you are on a dial up!
Its good to be up to date but if there are daily notices like " You have to update vital system files, approx. 56mb" it just causes an instant :"Screw That!" reaction.

Re:red-carpet

[Chandon+Seldon]

I run debian unstable. I have a 56k dialup connection. Every month or so, I run apt-get dist-upgrade, which updates *every* package on my system that has a new version, which ends up being a good chunk of them since debian unstable includes the newest beta versions of a lot of stuff.

Since I know that this process is going to take a while, I usually do it right before I plan to go to bed. It will say things like
157 packages will be updated, 187 meg to download. Ready [Y/N]?

I say "y" and go to sleep. When I get up in the morning, the system is done upgrading. For an especially big download, it might take longer than I sleep... in that case I eat breakfast, go do something else, and eventually it finishes. Even 800 meg downloads only take a couple days over dialup.

Remember Win98 crashing after 49 days

[Brento]

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

Remember the bug where Windows 98 would automatically halt after 49 days? See, Microsoft really IS ahead of the security curve!

Re:Remember Win98 crashing after 49 days

[Jester998]

"Windows 98 would automatically halt after 49 days? See, Microsoft really IS ahead of the security."

Umm, in order for this 'security' to be effective for Windows 98, wounldn't it have to crash in about 20 minutes? I mean, that IS the maximum security-life expectancy of one of those machines, isn't it??? Then again, back then everyone was on dial-up...

Re:Remember Win98 crashing after 49 days

[i_am_nitrogen]

I once had a dial-up box r00ted within 6-12 hours of connecting. Just an innocent little RedHat 6.2 box. I'm positive it was FSGS's fault.

Just do your thang

[Nick_Psyko]

I can't even be arsed to reply to this 'story'.

I just did.... is that a paradox?

Who wants bleeding edge?

[why-is-it]

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

IMHO, I want to have the latest security patches, but I will only install them after the patches have been tested in a lab environment in the hopes of limiting potential problems when those patches are installed on production systems.

Security patches aside, I don't want to be forced into upgrading perfectly useful code just because it has been deemed "too old". If it ain't broke, why should we fix it? I have the scars from some particularly unpleasant upgrades that were supposed to be seamless and transparent, yet were anything but. When I build a server that will be connected to any network, I remove as many packages and modules from the OS as possible and only install the application and whatever dependancies that it requires, and nothing else. We have fewer vulnerabilities to track as a result. I will upgrade when it makes sensse, or is required, but I don't want someone else who is not accountable to the company I work for making that decision for me buy putting time-bombs in their code.

There is a reason that it is referred to as "bleeding edge" after all - you get hurt.

STAR WARS: Help Natalie get on Rolling Stone...

VOTE FOR NATALIE!!!

What about automatic discovery of upgrades?

[Corporate+Drone]

Folks seem adamant that automatic expiration of code is a bad idea; on the face of it, I'd have to agree.

Maybe it's not an idea totally devoid of merit for binary installations, but for installs that included compile steps, it just doesn't seem to make sense.

However, I'm curious what /.'ers think about automated upgrade detection, a la virus protection programs?

It'd be difficult to co-ordinate, and would work best in some sort of centralized location (or, at least, in a few locations. maybe by OS (Linux tools) or by application (I'm thinking logical groupings of apps here).

what do ya'll think?

That's ridiculous

[dark_panda]

So if I have a perfectly good piece of OSS running that hasn't died on me, is secure and doesn't have any real issues, I should expect it to die anyways after X days, regardless of need?

And what if there's no update available after said expiration?

If I wanted softwate that was designed to die after so many days, I'd use Windows. (At least, sometimes it seems like it was designed that way.)

J

FYI

[DeadPrez]

April Fool's Day was two days ago.

...And in related developer news...

Logan's Run for *nix v1.0b was released earlier today. Time to make processor time worth-while

MS forced updates?

[tomstdenis]

I've read a few replies about "MS Forced updates are already bad enough".

WTF are they yamming about? I am running XP and I am *not* forced todo anything. A little popup will say "there are updates" but I can just as easily dismiss the box and go on my way.

Of course I choose todo the updates since I like it when MSFT fixes bugs...

Tom

An excellent idea to consider

I am dissappointed in some of the short sighted thinking elsewhere in these responses. This idea is exactly the type of thinking that should be encouraged, not discouraged, to solve security problems today.

How many people use open source software AS IS? I would be the majority. I would assume those that object to this could just compile out the expiration and continue as normal. But for the 98% of the rest of the world, focing upgrades and security patches is not a bad idea. I for one would like to see it explored further, not dismissed as "foolish".

what if it's not broken?

[unsinged+int]

This only makes sense if the software that expires actually needs updating...and you don't know that it will need updating when you write the program and release it (if you did, you'd just fix it pre-release). Once something reaches a stable version, it would really suck if every year or so (that's another thing...how do you pick the time period?) it still had to be updated.

what if there's no new version?

[.smoke]

I haven't seen this mentioned yet among the may reasons this is a bad idea... The point seems to be to force an upgrade to a newer version after a certain period of time. Well, what if it's an old project, that has since been abandoned? There may not _be_ a newer version with a later expiry date. Or perhaps the program is considered stable and there's no need to write a newer version.... When was the last time you grabbed a newer version of 'nc', for instance?

B*B,
-Smoke.

A better idea...

[eth1]

...would be to standardize a way to include a distribution date or something with the software... Then just have a simple bash script that displays the dates of your important stuff, and you can decide if it needs an upgrade. If you want to get fancy, cron it and have it email you if something is too old.

Alternative: SecurityFocus Pager for example?

[rtos]

Yeah, nothing like having your systems go down over a weekend because you didn't upgrade fast enough. Pfft!

Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:

"The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."

Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.

Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)

Re:Alternative: SecurityFocus Pager for example?

apt-get update && apt-get upgrade

is better because the upgrade doesn't happen if the update fails. Just an observation.

YRO?

[FortKnox]

Hehehe... This is funny... the YRO guy publishes an article that takes "free" out of "free software" (you are being "forced" to do something). LOL! Only on slashdot...

Lets not even get into all the nice open source programmers spending time putting in something that some 1337 d00d will remove in a matter of seconds upon release.

If the sysadmin CARED about security, he'd upgrade his software, wouldn't he?

Open source software. I thought the idea was to make it free and not care about what people do with it (except sell it for money). Now we care? Come on!

What...

[Squidgee]

happens when said programs are very large, and said sysadmin has a very slow connection? WHile this is a good idea, that is what I forsee as the only problem; I know it'd be a problem for me.

Problems with this

So what happens if the application it dumped by the author. You end up with a useless system?

Bad idea

[mbourgon]

How many projects have gone dark, never to be seen again? Heck, I was looking at this Gnome newsreader that looked cool, but no-one had a link to the code. If the thing's fallen out of development, what happens when it expires?

The Newton community has had this happen several times; the developer is gone, since the platform's been dead for a few years, so how do re-register the software?

Need To Encourage Participation, Not Force It

[mckelveyf]

I think the biggest problem with such a model is that it places the emphasis on forced compliance to software renewal, rather than on making sure your users are informed and participating in the program's community. Now that might not be happening now, but it doesn't mean it can't or doesn't happen. Free software is based on ideas like that, and by forcing, rather than encouraging, partcipation I think you loose some of the value of a fs/os programming.

It is called syslog

[NotoriousQ]

The software can just dump "check for security upgrades" messages into syslog, and the administrator can decide. Now if the administrator ignores those, he deserves to be rooted.

Besides, aren't up2date, rpm, dselect, etc. exist to do the work for a lazy admin.

As for forcing -- i will mirror the general slashdot public -- hell no.

Possible alternative..

[Dragonshed]

At face value, this is a bad idea, because it forces everyone to comply. However, I can think of some cases where the environment (say government) would demand this kind of functionality. A possible solution would be to have some kind of suite that manages expiration for installed apps/services. This would alieviate the need for each app developer to support this feature, and empower system admins who needed this functionality to easily add it (assuming the suite was implemented correctly).

My 2cents.

An Alternative Idea?

[ath0mic]

Would it not be better if the software updated itself after a set amount of time, rather than expire.

No Way

[IRNI]

Just because someone has an old version of software that may have some known exploit in it doesn't mean they have to upgrade to a newer version. For many reasons I wouldn't want that to happen. I use an older version of sendmail on one of my very low key servers that has no contact with the outside world. Simply because it has a config file specifically for it that does everything I need. Now if it expired and I was forced to upgrade I would have to rewrite everything because the syntax is different. I don't like being forced to do something like that when I don't have time for it.

If you are going to make me update because of a security hole, make sure your product is 100% backwards compatable with the version I am running. IMHO that is the way it should be.

Bad idea

[CaseyB]

Apart from the obvious fact that you're making the software non-free-as-in-speech, this makes the dubious assumption that software always gets better with each version.

What about the case where a new version is released to fix a minor performance problem, and a new security bug is introduced? Even with rigorous testing, massive security holes do slip though. No process should be automated that has even a CHANCE of making things worse.

Its true, its true.

[MisterBlister]

Jon Lasser is an idiot.

Re:Its true, its true.

[atomic+brainslide]

Jon Lasser is an idiot.

maybe true, but he'd make a great politician in the USA! i say, those chaps have a talent for attacking a problem for the wrong end. :)

Bad ideea

[c.r.o.c.o]

There is no real reason why old software should have an expiry date.

First of all, there is a lot of code out there that is simply not maintained anymore. It doesn't have any major bugs, it does what it's supposed to do, so why expire it? Even if you tried, you couldn't get new versions for it. One example is tkirc. I used to love that app, but the last time it was updated was sometime in '98. I still use it whenever I feel like IRC-ing...

Second of all, older apps and distros are small and work on old computers.For example, an old Linux distribution (e.g Slack 3.x) will run without any problems on my old 486. It's small, fast, stable, and it gets the job done. In my case, running IP masquarading, a small ftp server and an ssh server. But RH 7.2 will not even install, because of the 8Mb or RAM that the 486 has. If the expiry code would be enabled in that Slack distro, it wouldn't work. So that computer would be useless, unless I took the time to trim a new distro to fit on it.

The third reason is more debatable. It's the admin's job to keep the systems updated. If his box gets hacked, he should be responsible for it, and suffer the consequences. It happened to me because of an old wu-ftp on RH6.2. I knew of the vulnerability, but I was too lazy to upgrade the package. Well, needless to say I had to reinstall that computer. Since then, I never leave any apps running or any ports open unless I know the apps are safe and I absolutely need the ports to be open.

So I say leave the software as it is, without an expity date on it. Even if the expiration is only activated if a hole is discovered, leave the app as it is. Maybe someone is using it on his personal, isolated network (or box) which nobody will ever hack into. But that someone might depend on that app for some task, and he can't live without it. I know it's a stretch, but still...

How about...

[kirkb]

Instead of a negative approach such as software expiration, how about some thing positive, like a tool that helps sysadmins do their job easier?

I know it's blasphemy here to tip the hat to Microsoft for anything, but my XP box pops up a little balloon whenever an update is available. Imagint a little cron-driven script that checks for updates and offers one-click access to new RPM's or whatever.

The fact is, any decent sysadmin should be able to keep his junk uptodate without needing any special help. For the sysadmins who are to lazy|busy|stupid to do this, a little "sysadmin's helper" tool would be great. In fact, I'm sure it probalby exists already.

I'd rather get e-mail

[wytcld]

How about a collaborative, distributed system where each crucial piece of software by default (overridable of coure) registers with a listserv which sends only security announcements related to that particular component? This might not work so well for, say, the multitude of GNU utilities, but it would be quite convenient for the kernel and the major daemons a typical server runs. The trick is to have the notices originate with the project responsible for the daemons - open soure projects, unlike Microsofties, usually are the first best source on vulnerabilities. Securityfocus is good, and general mailing lists devoted to daemons are good, and even just reading /. is good, but it would spare the busy sysadmin part of the drudge of the duty of diligence if (s)he could keep a mailbox which received all of and only security notices pertinent to services which are really at issue, with these notices originating, whenever possible, from the project maintainers. Either part of the open source project RFC could be "Set up a security listserv and subscribe by default on installation," or there could be something centralized that consolidated across projects.

I have stuff running in two-year-old versions, and stuff I updated last week, and I'm much better off than if everything just had the average version of a year ago. Age by itself is meaningless and would be a nuisance.
___

Iiik!

[MouseR]

What about good software that does an adequate job on relatively old hardware that, once expired, forces you to upgrade hardware?

Bad idea.

He must never had to work with LMGRD

[joeflies]

As great of an idea that LMGRD sounds (a commercial license management program that requires a flatfile of software-enabling codes), there is always a machine somewhere that has it license expires at the most inopportune time, requiring an all-hell breaks loose call to the vendor to get new license files installed.

This happens at all the customer site's i've visted for one of my former employer's products, all of them dealing with one product. Imagine what kind of pandemonium that you would have with hundreds of time-bombed programs, expiring at different times of the year, running on a mission critical systems. I bet that would feel like trying to run a business on a box full of unregistered shareware

Bad idea.

[soap.xml]

Anything that forces and update on the user is a bad idea. This is the total MS philosophy that ./ beats down on every day of the week. A simple reminder message, or a friendly notice that a new version might be a avialble is okay but even that might be a bit much.

I would say that the best sort of system would be an opt-in system that would let you know if and when there were any updates available... (think redhat). This way my disconnected machine stays alive and running until a hardware failure, my firewall gets patched iff there is a need, and my dev/test boxen get updated like crazy cuz I am in the know on all the latest and greatest patches.

Free software, free updates, and free will for the system admin. That is what its about. Responsible people running systems responsibly (we hope :D)

-ryan

Great Idea

[dgb2n]

This is great.

I have a similar idea for my car. You could design an oil system so that once the car had been driven more than 3000 miles, the car automatically drained all the oil from the drain pan and left the engine without oil.

This would prevent a careless driver from driving with oil that no longer provided sufficient viscocity.

Re:Great Idea

[soap.xml]

I can see it now....

Wife gets new car, new car has new improved oil change technology, I buy new engine every couple of months... :O

Re:Great Idea

[srw]

> I have a similar idea for my car. You could design an oil system so that once the car had been driven
> more than 3000 miles, the car automatically drained all the oil from the drain pan and left
> the engine without oil.

A friend's truck refuses to go faster than 60km/h (That's about 35mph) if you don't change the oil for a long time. (10000km, I think)

I don't see a problem with this type of protection. Of course, it's important to have warnings well in advance, rather than just "drop dead" once the time limit arrives.

-srw

Re:Great Idea

[nEoN+nOoDlE]

If it's my car, why the hell can't I be allowed to break it?

Re:Great Idea

[Unknown+Poltroon]

think is a great idea. Especailly when the truck slows down to 35mph in front of a truck going 75.

Re:Great Idea

[Al+Kulepy]

I like the idea of a red warning light (or e-mail. or ping! sound very quarter hour) that lets you know that your source needs updating. You can choose to ignore it, but it will remind you that you *should* eventually do something about it.

Re:Great Idea

Who says you own the car? It is entirely the intellectual property of the car manufacturer! You are using it in violation of the copyright holder's terms!

Re:Great Idea

[laserjet]

exactly. your point is simple, but important.

it is our stuff, let us do what we want. Now, if you want to put a friendly reminder in your software or even a checkbox that says "stop working when this software is out of date", fine. but don't force me to do anything.

for if you do, i won't use your product.

Re:Great Idea

[laserjet]

moderators:

why did you mod this as insightful? this is NOT insightful, it is sarchasm!

could somebody moderate this that is not on amphetamines?

Re:Great Idea

It's insightful sarcasm. The two are not mutually exclusive, you know.

Wrong date

[unformed]

This belonged in the nwesitems two days ago.

A better proposal...

[chrysalis]

Have the system automatically keep all packages up to date, when critical bugs or security flaws are found.

SuSE Linux can do that for a long time. And all automatically installed packages are signed with GPG.

Probably a lot of other distros and operating systems can do it, too. And when it's not the case, centralized system management (/usr/local/ shared with NFS, or ssh scripts to replicate the content of an up-to-date box to other boxes) makes it easy to keep everything up-to-date and secure.

EXPIRE?

well, *some* opensourceware should die/be killed/put to death mercifully... that is for sure.

no, i mean it.

No Mandatory

[SkyLord]

I'd prefer to see some sort of alerting or notice (syslog, mail, app log, etc) be the method to encourage SysAdmins to upgrade, not time-bombing them.

It's Open Source isn't it? If it can be freely developed, shouldn't it be freely used as well with few restrictions?

I got a better idea

All Open Source software should require activation!

Ok seriously

[Alcemenes]

Why should I have to put up with software expiration dates because other people can't be responsible with their software? If you remove the user's need to think from the equation eventually the software will have to do everything. Look at Windows XP. It tries to hold your hand for everything. System administrators need to take responsibility for the systems they maintain, not the software developers.

Introduce Choice and it could be helpful

[shaw7]

I agree with those stating that I should be able to run softward as long as I like un-inhibited - particularly when it's Open Source.

However, I would not mind if on install, a application asked if this was a security sensative box and would I like the software to update/time-bomb after a certain period.

There would be some machines where this would be nice....

Then again, the RedHat Network can do this for me as well...

One of the advantages of open source.

[SuperguyA1]

One of the advantages of open source, not inherent it just happened that way, is that it is the users responsibility to be clueful. Forcing clue upon the user is a slippery slope. Once you get to the point where the user can't screw it up you get a much less useful product because it's extremely difficult to modify. You end up with... well... windows I guess.

Your kidding

[lkaos]

So, you want me to tell my boss that our web server is free software and has expired because the people writing the software figured by now it would have a bunch of security holes?

That's gonna be easy to sell. I can just imagine it.

Boss: "Why did our server go down last night!?!?!"

Me: "Well, it expired."

Boss: "It free for Christs sake! How does the d*mn thing expire if we're not paying for it!"

Me: "Well, the authors figured that by now, there would be a bunch of problems in the software so they want us to upgrade it, it's really a good thing."

Boss: "I thought this free stuff was supposed to work, not be full of security holes! We're switching to IIS!"

This has probobly been said...

[El+Pollo+Loco]

but what happenes when the software stops being updated. Then your current software which is working fine stops working, and you can't upgrade it because it doesn't exist anymore.

Waste of time

[Captain+Pooh]

Wouldn't it be better if patches were released to fix a software bug, and to improve performance and other stuff as is already being done. So a sysadmin could keep earlier software that has been patched for a security bug without having to upgrade to the latest version, and what if the latest version has a bug in it also. Then the sysadmin would have to patch that version.

Log It Instead Of Expire It

[Samarkind]

What if the system were to log the last update for all packages to a central file that could be polled by the admin? Or email the admin once the software reaches a certain age? I doubt many security patches are deliberatly not applied, but most admins are probably overworked as-is and would appreciate a gentle nudge to check for security updates on a piece of code that they normally don't look at too often because it just works.

Re:Log It Instead Of Expire It

[ajs]

Yep, it should just send a message to syslog once a day or so after it reaches a crittical age. The question is, what software do you do this for. Here's some that you really should

• openssl, openssh, gnupg, etc -- Anything that thinks about data encryption should be updated regularly because you expect advances in cryptography and crypanalysis to make your current version less secure
• gaim, pilot, etc -- Any software that is trying to grok a third party interface or protocol without official specs and/or support will probably have to be updated regularly.
• ftpd, sendmail, etc -- Software that is known to be a favorite target of script-kiddies should be updated as frequently as you can afford to in your environment.

Medical companies would have a cow...

[allism]

(I work for a medical device company)

Every time medical company (i.e. a drug manufacturer or a medical device manufacturer) implements new software, even if it's just an upgrade to, say, their call handling software for their tech support department, a validation process has to be performed. This includes:

a risk analysis to determine HOW much validation has to be done according to how much harm can be done (and yes, there is harm even in the tech support software)

creating a test plan

testing the software to make sure it works to intended use

completing validation paperwork documenting that the testing was actually done

creating a validation report and test summary detailing your findings

keeping all these records on file for a long time so the FDA does not land on you like a hungry 2-year-old on a twinkie

If you're a medical company and you DON'T plan on doing all this, you can expect a write-up (which must be responded to) at your next FDA audit. If you don't respond to the write-up, hire a lawyer cause the FDA is gonna shut you down. This is a large part of why we've kept around some of the DOS applications we use--no one here has the extra time to do all the validation on new software.

Re:Medical companies would have a cow...

I worked for a medical device company. I'm sure we did all of that stuff. But the FDA paperwork was done by a group of people NOT developers, and who likely hadn't the technical background to really know the risks involved. Certainly they didn't have enough knowledge to do so.

Re:Medical companies would have a cow...

[allism]

We're small enough that the PHB's have no problem drafting the technical people to do validation paperwork. The last time we had a seminar on validation strategies, we had 12 attendees out of the approximately 60 people who work for the company (including receptionists, assemblers, etc). Seven of those people are developers of some kind who have, at some point in their time here, been sucked into the black hole of paperwork that is FDA requirements.

Nothing personal, but if your fomer company's people weren't well trained enough to be able to evaluate the risks involved in their medical devices, I'm worried about the safety of anything your former company put out.

Call me a newb... but

[Logician007]

This may be of trivial concern to most of you, but I am not very well versed in open-source law. Would it be a problem say, for StarOffice to have used this expiration technique months ago, and now StarOffice isn't free, right? So would it be possible as a marketing strategy for companies to open-source software, build a large user base, have all of the (un-modified) versions expire then force them to a $$$ version?

This isn't meant to spark any debate on the distinction between free speech and free beer. Please don't really call me a newb :)

Good idea for foiling idiots...

[CaptainPhong]

I thought of the same thing back in college. Like milk, old code tends to go bad or turn into swiss cheese. All the profs were always pusing "reuse" and "don't reinvent the wheel", but I always thought there was WAY too much reuse. People in co-ops were using their crappy linked-list and sort routines they wrote as freshmen when their coding skills sucked (though I suppose many of them haven't improved much over the years.)

Sure, this sort of thing should be optional for power users, but I wouldn't mind, for example, if RedHat, by default, would periodically check for RPMs and notify the user that they need to install an update to remain secure. Your average idiot really needs updates crammed down their throat, otherwise they never get them. I mean, how many e-mail viruses bank on the fact that there is a huge volume of people out there who never get patches for Outlook? Working in tech support, I was shocked by how many people used truly archaic versions of Internet software or 4 year old copies of virus scanners. To protect everyone, I can see situations where it would be preferable that old versions of software completely die (Windows e-mail clients for example) when they get too old.

I don't know why the author chose to target OS stuff though - closed sourced software is no different (in fact, it's probably worse) in this respect.

I don't get this...

[SkyLeach]

Most people don't upgrade because they don't have the time. That's the whole point of the firewall: have one secure box between the big bad internet and all your insecure boxes. Sysadmins have the time to keep the one box (firewall) up to date, but not the 3,000 behind it.

please say april fool ...

Wow, I had to check the dateline on the article itself to convince me that this wasn't an April fools story .... it's not. But it is about as dumb as most of this years slashfool stories.

Re:This is a bad idea, in general.

(thus proving that most /. posters are closet BSD users)

Only Big Brother

[dar]

and the equivalent do things "for your own good". The first rule of good software - don't piss the user/admin off.

TeX

TeX would have expired *years* ago. That would suck.

Use a management tool to do this.

[_bug_]

Perhaps a standard could be developed that defines some way (an XML document perhaps) applications can have a defined "Expiration" date. Then a separate management tool that is aware of how to extract this information can do routine system checks and notify the sysadmin of "expired" software. This way software doesn't just stop when the expiration date hits.

I think this has many uses, perhaps less in the /. community which is seems comprised of people who keep up to date on security advisories, but for the laze or (as is often the case) the very busy sysadmin, I think this would be a very useful feature.

The method that defines a software's expiration date would have to include a URI or some other set of instructions on how to obtain the latest version. This method should also have available a "final version" or "never expires" option for software that is no longer being maintained or the developer has claimed as bug free (in a perfect world anyways).

This could be implemented at the system level (a kernel module) rather than as a 3rd party tool. However the kernel module would need to be able to ignore software that doesn't support this since unless the implementation is _really_ easy, most programmers won't perform this extra step on tiny apps or scripts.

There's also the potential (if implemented at the system level) for noticeable increase in CPU usage (if it's examining every file).

This could also play into the hands of IDSes as well. This "expiration date" could also carry some sort of CRC or authentication data as well. Might be a nifty way to tack on a system to authorize the execution of an application. But things start to get bloated as features are added on.

-B

Not that crazy...

[digitalamish]

It's not that bad of an idea people. It just needs to be presented the right way. I'd much rather have an option during install that lets me turn this feature on or off. Sort of an 'op-ed out' function. I think the idea of having the software 'phone home' is a bad idea. If a script kiddie found a vulnerability, someone could watch the traffic coming into the developers site, and then know exactly who has the flaw. Not to mention the privacy issues. Remember what a stink 'we' put up over Microsoft's Windows Update possibly tracking users?
--
No electrons were harmed in the writing of this post.

updating OSS

[Ironfist_ironmined]

of course for the rest of us, it is a simple Cron task.

Bad idea

Not all software is used on the public internet. If I use outdated software on machines physically disconnected from the rest of the universe, it harms no one. Furthermore, I can think of plenty of reasons I might want to do this (run outdated software AND run a disconnected network)

Mozilla

[lostchicken]

The Mozilla guys did this (they still might) for their nightly builds.

It works quite well to both encourage people to dig into the source, as well as to encourage the lazy to update software. This [Mozilla's scheme] is what got me into modifing open software to begin with. By incorporating these things, the experts [who already keep their systems up to date] would be able to remove them, and the lame would stay current, preventing things like DDoS attacks.

I HATE J00

[beefdart]

LEENUX SHULD B EXP1R3D D00D!@#%!%!#@$@%t^$%@!@!

Re:I HATE J00

[Treeluvinhippy]

Your cool. Yep you have definatly set up everyone here the bomb. Damn I should just stop typing and go lie down in the highway. I just don't think that I can compete with someone of your caliber,
and to be honest I'm hard pressed to think of any ubergeek who can even fathom the thought of challenging your supreme l33tn3ss. Damn you for being the best!

Re:I HATE J00

[Treeluvinhippy]

Your cool, you have definatly set everyone here up the bomb. I'm going to stop typing and go lie down in the middle of the highway because I just don't think that I can compete with someone of your caliber. Come to think of it, I can't picture any ubergeek that I know of who can even fathom the thought of actually standing before your supreme l33tn3ss. I quiver in fear that your going to hack my box and erase my wolfenstein saves. Please spare us your wrath almighty ub3rh4ck3r!

Stupid Idea

[Capt_Troy]

This is the dumbest idea I've ever heard. If I want to run old software, then it's my problem!

It's not the developers job to force people to upgrade if they don't want to.

Win95

[Night+Goat]

GOD, do I wish Windows 95 would retire itself. In this day and age, there's just no excuse. I feel sorry for the office workers who fight with that every day.

What a completely stupid idea

[Colin+Smith]

Guaranteed denial of service. Yeah that'll go down like a lead balloon with system managers and administrators.

Great way to encourage the use of open sourced software. "Yeah, It's 100% guaranteed to fail in a year".

Hmm...

[pseudofrog]

Seems to me this causes administrators to be a bit more complacent... to assume the software is fine and that it will 'expire' when it's outdated or has security holes. Administrators without an intimate knowledge of their software is a recipe for disaster.

Speaking of security holes - maybe I missed part of the article, but you can't exactly anticipate them.

But the main reason this won't work is that the logistics are mind-boggling. Unless you can convince ALL developers to implement this idea it will fail.

-Matt

Because

[why-is-it]

Why not just have it a feature of your package management system?

Because it would be foolish for a SysAdmin to load fixes/patches without testing them first. There have been occasions in which a patch will break something else that the application does. (Checkpoint FW-1 patches are notorious for this) There have been patches that are issued and then recalled because of problems with the patch itself. Who would want to put production systems at risk by having critical code installed automatically before the SysAdmin would have the chance to test it.

If someone wants to implement something like this, all I can say is that I hope you take regular back-ups and validate your tapes.

You will need them.

Re:Because

[klosskorban]

"Who would want to put production systems at risk by having critical code installed automatically"
.. Only an Fool!!
The Idea of a PacKaGe expiration is to have your system send you a notice if aPacKaGe has reached a predefined age. Its just a reminder to say hey, "don't forget about me!" Downloading, testing and installing thePacKaGe is still up to you. Auto-updating software is a M$ thing not a Linux thing.
The attentive sysadmin probably does not need this, but a busy home user, or a quiet server in the corner could benefit from turning this feature on. I don't like the idea of my system going out and connection to some server on its own to look for a newer version, and I feel a simple reminder allows you to maintain full secure control of your system while, helping to simplify the upgrade and maintenance process. And people who don't like it don't' have to turn it on.

Sounds nice. Has problems

[pete-classic]

I understand that you have good intentions with this idea. Unfortunately there are more problems with this than you can shake a stick at.

First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta." If you are writing software with the belief that "in x months people will be better off not running this" you are doing something wrong.

Second, what if you write a really great program, and you put this "feature" in it. The program is great. People love it. They depend on it. And it doesn't have security problems. Meanwhile you get married, have triplets and move to the Amazon. Then your little "time bomb" goes off. Thanks a bunch. Now it falls on "someone" to rip the thing out. Not good.

There are any number of other problems like:

• People's clocks don't all agree
• What bugs might you be adding by putting this code in there that doesn't enhance the program's operation?
• Sometimes people need older versions to meet more important dependencies
• Who knows what else?

This is all outside of the fact that I (like many others) don't care for software that thinks it is smarter than I am. That's why I run *NIX in general and Free Software in particular in the first place.

Bottom line: Sounds nice. Makes more problems than it solves.

-Peter

um anyone know what happened to ftp?

[RestiffBard]

seriously. what happens when the program expires and no one is maintaining that software anymore and there is no upgrade? also. since its open source whats to stop me from getting a hacker (the good kind) friend to remove the time-bomb code? This all sound like an asinine idea. Much more trouble than its worth.

A Likely Result

[SpamJunkie]

Really, all that would happen is a startling number of web servers would have their dates set in the 1970s.

Warning

A warning rather than an expiration might be a better idea

http://www.b.150m.com

Sounds like a bad, misdirected solution to me

[derobert]

Why do admins not update? Probably because most distros do all of the following with updates:

1. Make it hard.
2. Break things.
3. Have updates that don't work.

All three of those describe my experiences with RedHat. Until 7.0, it wasn't easy to see if your software was up-to-date. Even with 7.0, you still have to worry about them breaking things. And half the time the dependencies don't work out, especially if I've isntalled something myself. Which is needed quite often, because RedHat doesn't have to great a variety of software in their distro. With older versions, you had to go to updates.redhat.com and chase them down yourself. Half the time, I still have to due to dependency problems, etc. No surprise, anyone ever noticed how hard it is to report a bug in RedHat?

Fortunately, a solution has existed for a while. I have been using it exclusivly for a while.

planned defects?

[TimButterfield]

Personally, I don't plan on the software I write having defects. That is not to say that it doesn't, just that having defects is something I strive to avoid. Given the premise that having defects is a bad thing, building in obsolescense because you might encounter a defect at some point in the future seems to be a defeatist attitude. "I know it will have defects, so it should just stop working." That's just crap.

Good enough software? If the possiblity of a defect is such a bad thing, it would be better to build in methods that allow for that possiblity. Several of those have already been mentioned here. Software that can check for available upgrades or just having a method of notification of available upgrades are just two possibilities.

Re:planned defects?

[someonehasmyname]

mod this guy up.

lameness filters suck

what about manufacturing products...

[GutterBunny]

...that run open source code? If you have automatically expiring software, then the vendor (or customer) would be forced to update those machines in the field whenever the software expired. Even if the warranty you provided the customer expired long ago.

What do you tell them? You can buy our machine and it will expire in 3 years, even if the steel is good for another 20.

No, no, no!

And NO!

First of all, if you want something to auto-disable your software at some point in time, that's easily done with a shell script and "at" or "cron".

Second. Imagine this situation: Late at night your server suddenly stops working for no apparent reson - after debugging the problem you find out that some library needed by your mission-critical application just expired and automatically disabled itself - rendering your server useless...

NO THANK YOU!

Security Panics Are WORSE Than Holes

[RhettLivingston]

I've been extremely active on the Internet for over a decade, freely downloading thousands of programs without running Antivirus programs and have never gotten a virus. If I did get one, I'd just spend a day rebuilding and move on.

On the other hand, I have lost multiple MAN-MONTHS of time due to various anti-viral and other security enhancing efforts that broke machines that were my responsibility to maintain.

When you add up the cost in man-hours required to make software more secure, the cost of not having new time saving features because a vendor is delayed on a release while checking out security, the cost of running AntiVirus programs (turning off Norton Antivirus is a HUGE speed boost on running many programs with large data needs even on my 1.4GHz machin), the cost of tracing why such and such program/driver isn't running every time an antivirus program trashes an installation, the cost of doing all of those upgrades, and the cost of finding all of the new problems caused by the upgrades, etc. etc. etc.,,, you find that forced security and running of anti-viral programs has caused far more lost man-hours and $$$$$ than all of the true infections and penetrations that have occurred combined.

I see that this recommendation was written by someone in a security company...

Don't punish people for doing stupid things.

[dashjosh]

They'll learn soon enough.

Re:Don't punish people for doing stupid things.

The person who should be learning is you the developer!!!

Don't just publish everything that comes out of your ass and then call sysadmins stupid for running it.

Am I missing something?

[africanswallow]

How do you force open source software to do anything?

Absolutey not.

[someonehasmyname]

Hell no. If a system administrator is too stupid to upgrade buggy software like bind and wu-ftp for security reasons, he's definately too stupid to realize his dns servers stopped working because bind expired.

this article is such a troll

[ethereal]

And all y'all took the bait, unfortunately :)

Mr. Lasser can talk about using apt-get with signed packages, etc. but that doesn't really get to the heart of software upgrade woes. My biggest concern is not "is this a malicious update?" (because that's pretty much a solved problem), but rather "what got broken in this software when the other fixes went in?". There's no way I'm going to let even the most trusted package updater touch a production system without my first having manually tested the new code for suitability, read the release info to find out what's changed, looked for situations where the config file format changes, and all the other other "enhancements" that get rolled up into bug fix releases these days.

There is no way that I would accept an untested auto-update of machines that I'm responsible for. So therefore any proposal that would put me in such a position would be a huge mistake IMHO.

Not good...

I thought Open Source was about allowing a user to do as they pleased with software, hence the term "Free Software."

It seems that since the code is open source anyways, any locking mechanisms put it would be easy to cirumvent anyways... unless your goal is to make the code so not understanable that it would be difficult to change, but that too is against the spirit of open source.

The main thing is though... who's to say what version of software I'd like to use? Maybe the newer software is bloated and unruly... what's being proposed here is just an attempt at forcing upgrades... no thanks.

reminders, not forced

it would be much more useful to have an optional notification system, either emailed or pop-up in X, or something - "This software was last written/patched on Date X. Consider upgrading." Apache crapping out in the middle of the night would NOT be cool ;)

Come to think of it, auto-notifications would be cool Autoconf option...

Glenn

Words fail me (almost)

[Kphrak]

A program rigged like a time-bomb? Perhaps a program doesn't have a security hole, but is merely not maintained anymore. Under this plan, it dies in x number of years, and suddenly a perfectly good system goes down the crapper. And perhaps the guy who installed it has moved on to greener pa$ture$....leaving the current admins to figure out why something that was never touched blew up in their faces.

I don't even know why I'm replying to this obvious troll of an article. One of the things you hear from every frustrated admin is, "What did they change? This box has worked for three years! And where the HELL is the documentation?"

This is such an amazingly bad idea I think it should be preserved somewhere in a museum, along with the recipe for New Coke and the plans for Galloping Gertie (bridge in Washington that used to ripple in the wind).

What does this have to do with open source?

[jtownatpunk.net]

First off, why would such a thing need to be limited to open source software?

Second, it's one of the worst ideas I've heard in a long, long, long, long time. What about the software that works perfectly and doesn't _need_ an update? I used the same backup software from '97 until last month. I didn't need to upgrade because the original product worked fine. (I have to switch now because we're changing platforms.) I still use Excel 4.0a because it does everything I need a spreadsheet to do and it needs a fraction of the resources that the current version uses. I just checked the copyright on Excel 4.0a and it's 1985-1992. That means my decade-old software is still functioning perfectly.

And why should people with offline systems need to worry about network security patches? If I've got a standalone system controlling a production line with no connection to any other computer, why should I have to worry about keeping out l33t hackers? "Gotta schedule some downtime because the software is expiring. No, sir, it's the new fashion. We're being forced to upgrade. Yes, the upgrade will work. We spent the last 3 months doing nothing but testing the new software. No, there's nothing wrong with the old software but it will stop working in 3 weeks. No, it's not a licensing problem."

If your admins aren't patching systems that need to be patched, fire them and tell their replacements what happened to the previous admins. Don't try to make me upgrade everything in sight with no regard for the context in which the machine or software is being used just because a small number of people aren't doing their jobs.

No--just remind the sysadmin to check for updates

[Kakurenbo+Shogun]

This is a very good starting point for thinking about a solution to a serious problem, but I'd have to agree with a number of others here that it is not the right solution.

It seems to me that there are a few needs here:

1) Having an upgrade system that's easy enough that sysadmins won't dread it and put it off till it's too late. (I run dselect on my machines on a regular basis, and ... at least once you've slogged through the package list and gotten just what you want on your machine ... I think it's a great sytem)

2) Getting sysadmins in the habit of using the system regularly.

Perhaps a good solution for number 2 would be to have a standardized system (which is installed and set running by default) for alerting the sysadmin if they've gone too long without checking for an upgraded version of a piece of software. Once a day, a cron job checks to see if it's been more than a week or whatever since the packaging system was run to check for updates, and if it has been that long, the admin gets an email every day reminding tehm to get on the stick.

Better yet, a cron job could run once a day to check whether any upgrades were available, and if so, send an email to the sysadmin to tell them to upgrade. (I wouldn't advocate automatic upgrades, because you never know when something requiring a little human intelligence is going to happen--rare but not unheard of).

The remaining issue would be custom-compiled software that you can't just grab using the packaging system. For example, I've got a custom Apache installation with PHP, mod_ssl, etc. built into it with all the options set the way I want them. I've built my own compile and install script to automate rebuilds whenever I notice that one of the components has an upgrade available. If the OS could provide some standardized service for each of the components to check for updates and email me when one is available, the process would be almost 100% painless.

Then

[Treeluvinhippy]

everytime Red hat or another Distro releases a new version wouldn't a good portion of the software have already expired?

Warning...

[Laser+Lou]

Could it lead to messages like this?

"This program will self-destruct in 30 seconds."

Ick

[bruns]

Ick, forced upgrades. Microsoft-like. I should smack you over the head for suggesting this type of thing. Goes totally against the idea of open source.

Always at 3AM too

[The+Cat]

No.

Suppose a system administrator wants to leave an old version running for some reason? That's their decision. Linux is useful precisely because it doesn't have to be upgraded every five minutes.

It works. Leave it alone.

Negative impact on Apache stats,

[Bender+Unit+22]

I feat that it would have a very negative impact on the apache stats. on Netcraft. Imagine it, from day to day 25% less webservers on the internet. :)

make more problems

[Qazimov]

If someone isn't updating their software, it's because they are either lazy, or they don't care. If the software expires at a given date, these two types of people, I feel would be inclined to simply set back their system clock. If this causes the creation of a mobius, and we're all forced to relive the 80s I don't think open source software will ever hear the end of it.

Needs refining or we become like MS

[Kefaa]

While it would be beneficial to force such an account, it is on this same ground that we constantly roast MS. Forced software upgrades under the auspices of improved security, stability, etc.

Consulting with dozens of corporations, I have seen many run old versions of anything from compilers to CICS regions to security patches. Sometimes for business reasons (cost) and sometimes for compatibility (upgrading to a current version causes incompatibility with their client's software). Whether we consider them legitimate, the business does and it is critical that we not add to the issues of OSS adoption.

While Jon was speaking in general terms, and the devil is in the details, his idea does have merit. The implementation would need to allow for the positive acceptance of risk by the software user. If I have a specific need to run netSecsoftXYZ beyond its expiration, I should be able to do so without it shutting down. In addition, I should not need to recompile or reboot to continue operating with the existing version. In this way, I acknowledge that I am running an older version at "my risk." The responsibility for my choice would then be placed with the organization.

This does leave the potential for abuse. However, we cannot avoid the potential misuse of something to halt its development. Just as we want to be able to make backups even if the device could be used to illegally copy software.

not expire print warning-- Kinda like Xfree does

[doon]

Something like X does when it boots. As shown below.

XFree86 Version 4.1.0.1 / X Window System
(protocol Version 11, revision 0, vendor release 6510)
Release Date: xx August 2001
If the server is older than 6-12 months, or if your card is
newer than the above date, look for a newer version before
reporting problems. (See http://www.XFree86.Org/FAQ)
Build Operating System: Linux 2.2.19 m68k [ELF]
Module Loader present
(==) Log file: "/var/log/XFree86.0.log", Time: Tue Dec 11 20:15:04 2001
(==) Using config file: "/etc/X11/XF86Config-4"

A better way ...

[Merlin42]

First I think the word "All" is a bit strong. Sometimes an old _trusted_ bit of code is a GOOD THING(R).

Maybe instead of just crapping out like some piece of proprietary beta software it should start putting little messages in the logs as it gets older:

Apr 3 16:27:09 pc19 crap[666]: crapWare v0.1234 ... Im getting a little long in the tooth . . . please upgrade me

And these messages should appear more and more frequently over time

Kevin

Like Red Hat Network (RHN)...

[Guru2Newbie]

does for the Red Hat distribution.

Having a system like this implies (a) there will be some centralized application-version database somewhere, and (b) your system must check in periodically for updates. Could this database be for all non-OS applications on many popular distributions? Perhaps.

already here, kind of...

[EvilStein]

SuSE has their update stuff that acts like Software Update.. you can just run it whenever you see fit and update software that way. Time bomb software isn't a good idea. Besides, were it open source, we'd just remove the time bomb code anyway, right? :-)

upgrade notification

[jlmcgraw]

Why not have an auto version checking feature? That way you're always in the know about the latest version and not forced to take any action you don't feel like taking.

"You have version x.xx, the latest version is y.yy; we recommend that you consider an upgrade"
"Go to blah.blah.com/blah to download"

Jon, you are the devil!

[Roguepixel]

Jon Lasser, you are the devil! Forcing people to migrate is pure evil. Obviously Jon hasn't thought this through objectively.

They are reasons to run old versions of software. Like hardware requirements, and the fact that as products progress, they sometimes add requirements that might not be met by the current configurations. That could doom some admins/companies/people or leave them wondering if the update is worth invesment over the exposure of the security risk.

Jon Lasser is clearly someone lacking on implementation experience

Either that or

[Guru2Newbie]

...they'll squish your head between their hands (pop! goes your noggin!) or smash through a wall, grab your hand and one by one, break your fingers so you can't type the commands to update them, letting them die in peace.

Re:Great Idea - For Car Manufacturers

[KosovoYankee]

Well, trouble is, when you are out on the highway adn all the oil drains from motor, you jsut bought a new motor. Or conversely, if it does it as soon as it's parked, then I guess you are walking home from the mall. An extreme terminal solution isn't always the best or most practical - just the most final.

Well then ...

[ProfMoriarty]

at least proprietary, closed-source stuff like PACEMAKERS won't expire on us unexpectedly.

I can just see it now ...

Detective: How did he die?

Coroner: Well ... he was running 2.0.3 of UberPace. You know, the Open-Source pacemaker software. Well ... he should have upgraded, but forgot.

Perhaps Not the BEST Idea

[khog]

Maybe adding something new that makes the software stop working is a bad idea. Perhaps a mail to root@localhost a la cron would be a good idea, but software that auto-updates or auto-dies is a bad idea. What if a Linux kernel auto-updated to 2.4.14? (Or was it .15? The one with the serious problem, you get the idea.) A monthly e-mail (which can be turned off, and the e-mail tells you how to turn it off) that provides the URL of the applications patches would in fact be useful; there's plenty of software which doesn't merit a subscription to a mailing list yet still could pose a security or stability risk.

Ultimately, there's no substitute for a competent administrator, but a bit of warning can't really hurt anybody. Shutting it down automagically takes the mickey out of the software and would be a Bad Thing.

Mike.

Patching Stupidity

If this ever hits the world in any form it will be patched out of existing before the first user download.

Stupid Idea.

[U6H!]

If I'm runing a cacheing DNS server on my loopback address, it's a waste of effort to upgrade it even if it has as many wholes as a wheel of swiss cheeze, or worse yet, a M$ OS. Also, I disagree with the premise that "most sysadmins" tend to neglect security patchs & updates. Besides.... It's like the counterproductive logic involved when M$ releases a patch to protect agains DOS attacks that crashes 25% of the boxes it's installed on. Here your talking about crashing a box semianually to protect the person from getting hacked. Basically, the person was allready hacked when they installed the termlimited software. Trojaned if you will. It really must be a slow news day.

It's mainly for the luser admins, right?

[RatOmeter]

OK, I think we'll all agree that the vast majority of servers that've been exploited and abused for a long period are in the hands of luser admins. Savvy admins get burned all too aften as well, but they usually catch it and patch their systems before too much time has elapsed.

Think about it... how many SMTP open relays are still running that have been spew points for years? How many Code Red hosts *still* probe your hosts, after all the hype and months gone by? How many hosts can you find that are listening on port 12378 (Gibe worm/trojan)?

The "admins" of these systems have *no clue* what's going on and LARTs fall on deaf ears at their luser ISPs!

So. My proposal is this: Include disabling timeouts on *all* net connected ware, enabled by default. Put a nice, little checkbox in an unassuming corner of a/the install screen (or a line in a conf file somewhere) that allows this "feature" to be disabled.

I figure all savvy admins will turn the feature off. Some of the luser admins will turn the feature off. A majority of the lusers won't even know it's there, and won't disable it. To bad for them, but they'll have a cluestick swingin' their way in a year or so.

I still don't think it'll fly (no one's going to build this feature in), but the above is my spin on how it might be made to work, after a fashion.

-

Re:It's mainly for the luser admins, right?

[j7953]

A majority of the lusers won't even know it's there, and won't disable it.

Huh? As soon as a clueless admin has run into this problem once, he'd certainly disable this "feature" after installing the new version, so if anything, this will be a one-time feature. Also note that even non-expert users have been reported to having disabled the helpful "I think you should be writing a letter" Office Assistant.

The problem with the "luser" admins is usually not that they don't know about configuration options. The problems are (a) that software is installed with insecure default settings, and the admins stop thinking about the config as soon as things seem to work, and (b) that many admins don't really understand what an option will do.

At least problem (a) could be solved quite easily. As a simple example, I recently set up a DNS server (Bind 9) for my home network on my firewall/internet gateway. I started by configuring my internal network's zone, and setting up caching for internet domains. Only when everything worked already did I realize (by using netstat) that Bind would listen on all IP addresses, including the public one! This is a problem that could be solved really easily by making listen-on a required option, set to "listen-on { 127.0.0.1; };" in the config file that is installed when installing Bind.

Provided that the default settings, and how to change them according to your requirements, is well-documented in the installation manual, I think better default setups would solve a large number of the security problems that exist with many systems connected to the internet.

Concerning problem (b), this is a problem that cannot be solved by developers. Managers have to realize that hiring cheap but clueless admins is not a good idea, and in some cases, free software needs to become more well-documented. Having auto-expiring software won't help here.

how about we let admins do their job

[moore234]

I am sick to death of folks using technology to try to solve people problems. All this indicates is a flawed understanding of the problem.

For example, the issue here is not binary. Security is not the end all and be all--folks should have the freedom to make informed rational decisions to make their systems less secure. Perhaps it's just a web server and not mission critical? Perhaps they need an older version of java to run an older program that they need. Knowledgeable admins should have the freedom to make that choice. Don't force policy via technology.

But this is indicative of a larger trend to look at technology to solve all our problems. Have sex offenders in the neighborhood? Make them wear beepers so that decent folk can know where they are! Have mental health problems? Take a pill! Folks speeding? Put up those goddamn speed cameras!

Rather than dealing with people on a personal level, we use technology to dehumanize interactions. I think it's because technology is easier to understand. It's not as complex as humans are. Technology also scales better than personal interactions do. It lets us do things more efficiently, but, mon dieu, what kind of world are we creating?

Dan

Re:how about we let admins do their job

[AaronStJ]

I think it's because technology is easier to understand. It's not as complex as humans are. Technology also scales better than personal interactions do. It lets us do things more efficiently, but, mon dieu, what kind of world are we creating?

Appearantly, an effecient, scalable, easier to understand world.

Re:how about we let admins do their job

[Rombuu]

I think people know exactly what the problem is on a human level. Unfortunately the law doesn't let us do the rational thing, which is hunt down and kill people who leave open mail relays, etc...

Re:how about we let admins do their job

[Angst+Badger]

Security is not the end all and be all--folks should have the freedom to make informed rational
decisions to make their systems less secure. Perhaps it's just a web server and not mission critical?

This is an excellent example. The company I work for (which shall not be named, thank you) maintains a cluster of webservers dishing up dynamic content backed by a pair of MySQL servers. We make a good effort to make sure the things are reasonably secure, but there comes a point when the time required to tighten the last bolt exceeds the time it would take to restore the systems from backup in the event of an intrusion. Mind you, we *did* put a good deal of effort into building tools to do that restore quickly and painlessly from a secure (read: air-gapped) backup copy. And we aren't a financial institution -- fifteen to thirty minutes of downtime would suck, but it wouldn't be a disaster.

Note for the curious: the backup system images are stored on a SCSI drive in a cheap external enclosure. If one of the webservers is trashed, we insert a custom boot disk (modified from tomsrtbt) and attach the drive. The original state of the HD is automatically restored, and the box is rebooted. Total cost of system: about $300 worth of development time, a spare drive laying around, and an $80 external enclosure. Obviously, this will not be suitable for databases, but it works pretty well with web servers.

The important point is to keep in mind how much security you actually need. Financial data needs alot; other stuff might not need so much. Actually take the time to calculate the cost of restoring lost data (or dealing with stolen data, if applicable) versus how much time it would take for those nice fellows making $50-$80/hr. to (maybe) prevent it from happening.

A better idea..

[Planetes]

Rather than having it expire, why not have it query the "parent" server where the project is maintained. If there is an update, the software could automagically generate an email or equivalent for the local admin saying that a new version is available. The admin isn't forced to update it but does receive new version notices. The package should probably also generate a message for the admin if it can no longer contact the parent server (i.e. libET can't call home.. sorry, couldn't resist..)

All of these would need to be configurable but that's for the individual admin to determine.

howabout this...

[TheLocustNMI]

howzabout if it sits around to long, it sends a message to your boss to replace you, the lazy admin, you frickin' slacker!

that'd be preferable.

Re:howabout this...

[jsse]

howzabout if it sits around to long, it sends a message to your boss to replace you, the lazy admin, you frickin' slacker!

ln -s /dev/null /var/mail/phb

He doesn't read email anyway. :)

Look around...

[fungus]

How about a "Critical Update Notification"? Microsoft has something like that for Windows, looks like the best way to keep the admin informed about new vulnerabilities...

Re:Look around...

[nagora]

looks like the best way to keep the admin informed about new vulnerabilities...

Not to mention forcing them to install useless software. When it works at all.

TWW

self-expiring software? ha! ha! hee! hee! ho ho!

Excuse us Jon, but April Fool's was YESTERDAY!

It has nothing to do with Open Source software

[DocSnyder]

Even if all insecure Open Source software would have been disabled, there would still be plenty of Closed Source software some of which has proven to be even more dangerous to the Internet. What is more, manufactorers of Closed (or Shared) Source Internet software would discredit Open Source competition as too risky to leave alone for more than a few months, and claim to "have the way out"...

upgrades are risky

[cxgd]

Every upgrade carries with it the risk that it will completely screw your system. So if you have a critical system which is working fine why should you risk jeopardising it with an upgrade ? I think it's a crap idea.

Let sleeping dogs lie.
If it ain't broke, don't fix it.

um...

[Dave_bsr]

Mandrake's RPM system (since 8.0??) has a nice little feature called "Mandrake Update" that can check for a) security problems, b) updated software, or c) bugfixes, or an combination. I just run that every few weeks. Your request is fixed, depending on what package manager you use.

my One True Program

[brer_rabbit]

#!/usr/bin/perl -w

die "program out of date, check web for update\n" if (time > 1049408843);

die "waiting for updated version to become available\n";

SIVC

[edbarrett]

check out Simple Internet Version Control. Honestly, I can only remember three apps I've ever used that included it, but it's a protocol that allows a developer to guestimate how many users have installed the app and keep users informed that there's a newer version available.

sounds like M$ to me..

[destiney]

that's dumb.. not every opensource software package contains security holes. some packages, i.e. games, don't even do networking stuff.

it'd be like:
oh shit, my opensource othello program is 2 years old as of today and won't work until i upgrade it. too much like a microsoft way of thinking to me...

Here's a better idea.

[swagr]

Companies aren't allowed to sell, give away, or otherwise distribute hardware or software.

That way the sys-admin will really need to develop a cozy "relationship" with the harware he built from scratch, and the sofware he toiled over. Only through this type of "do-it-yourself" administration, can we be assured that sys-admins really know what's going on in their (literally) machines.
</sarcasm>

Been there, done that... it's bloody annoying

[sheldon]

Netrek clients had expiration times embedded in them back about 8 years ago. The theory was similar, that there were probably bugs and the developers wanted to force people to update periodically.

It didn't make much sense because clients were also digitally signed with RSA keys, and those could have been revoked and new keys issued, but anyway.

The problem came along around 1997 or so when people stopped maintaining and creating new clients. Once a year the bloody client would expire and you'd get a series of posts to the usenet group and mailing lists whining about it. Someone would then have to go recompile the client(usually with no additional changes in the source tree) and put it up on an ftp site.

I remember rejecting this expiration idea back when it first happened and forked my own client versions which didn't do this. If I want to eliminate the use of a version, I revoke the RSA key.

And the first thing any programmer would do

[moocat2]

is find the code that implements the expiration system and remove or disable it.

Anyway, even if you could do that, how long do you make the current version last. There have been way too many times when code is released and within the next couple of days and major bug is found. Using a time based expiration system would simply not work.

Re:self-expiring software? ha! ha! hee! hee! ho ho

oops! heh! heh! I meant the day BEFORE yesterday!
:-)

Good idea

This is a good idea. However, it should be easy to turn this feature off (but for God's sake, NOT behind a simple GUI!). Software packagers (RH & Co) should leave the default on, at least for the "critical" packages. That way, security becomes a more concious choice, not just a silly "medium security - maximum security" checkbox.

Autonomy bad in a managed setting

[SuiteSisterMary]

When it's time to install an upgrade, I, as the sys admin, will do the regression testing, sanity checking, and all that stuff. When I'm happy with the upgrade, I'll roll it out to my servers and desktops through automatic means.

My users, on the other hand, are forbidden from installing patches and upgrades on their own. Who knows what it will break? And, as a corallary, they don't need to be bugged about things that are out of their control anyway.

Life critical

[genkael]

Wouldn't it be great to have software that expired on a life critical piece of equipment. I can see the doctor now, "I'm sorry, your son or daughter died because some piece of open source software expired."

There are also those of us that have to wait until we have an opportunity to bring down a server, and can't afford having a system go down before that. I'll take a risk with the hackers...

The software could...

[phpdeb]

automatically query a server for new updates on a regular basis. When it sees a new update is available it downloads the software, installs it, formats your harddrive and reboots.

Seriously having an option on a security/network package that notifies someone via email if a app gets too old would be a good idea.

Automatically doing stuff on servers needs to be left the people that know what they are doing, like Microsoft or perhaps the dude or dudette that is paid to manage that server.

it's an oxymoron

[Cheeze]

given the code of an open source application, it should be pretty easy to just comment out the part that expires. if you have the software checking a server or something to see if it's still valid software, just comment out that stuff and then recompile. seems like a waste of time, but i am sure someone has implemented it before.

Here's a better idea

Make something similar to Window's update so that its painless to update the software. Everyone always claims that linux is in every way better then windows, how come I need to rebuild my kernal every time there is a patch available?

And for the jackasses that will invariably respond with "Its fun" I will save my self the time and just tell you to fuck off right now, because I actually have stuff to do with my free time.

Less Blade Runner, more E.T.

[ave19]

If it's a networked app, just make it phone home every so often to see if it needs updating. Then email you or something.

Maybe, if you configure it to, and it phones home to learn it's got a big hole in its chest, it could close itself down until you can fix it.

Or, why not fix it automagically? I'm tired of hunting RPMs.

Let developers fix their own bugs

[digitalpeer]

I would have to agree that hiring better sys admins in the first place is a viable solution. However, there are boxes sitting in the basement of some companies that people don't even know about most of the time and paying a sys admin to sit in front of it is a waist. And when the company eventually does realize it exists months or years later, it's only because it stopped working.

If there was some OPTIONAL scheme to give the developers of software a way to update their own software (updates as in fixing buffer overflows, etc) out there without sys admins needed. In other words, leave it up to the developers of the software to EASILY fix their own horrible mistakes. This does not include upgrades - more like fixes.

In a way, giving the software the ability to phone home to its developer for critical updates would be extraordinarily beneficial. Of course, this will easily fail if developers abuse the system and do more than just fix bugs without changing architecture.

I can see a single, open source system that all developers can use as the perfect solution. It saves money, and it gives the developers the ability to compensate for their mistakes.

Agreed, there's plenty of room to criticize this.

Good idea, but a bit too far

[Cerebris]

He's got a good idea, but I don't agree with the implementation. This has probably been submitted, but it seems to me that instead of the software just outright not working, after a certain time, it would simply display a message every now and then advising you to update.

This could be a good task for some sort of mini-program to be included in all kernels that collects these messages from all programs on the system and displays them, so you would run "progupdates" or something and a list would be generated of everything you need to update. This program could also be made to connect to a database and compare version numbers with a list to determine if a new update is available, and then advise the user that it is available. Imagine it sort of like Battle.net, on connect, it checks your version against the server and informs you if your version is out of date. (Unlike b.net, though, software patches should not be required, rather, just advised).

-Colin

Way to DOS yerself d00d!

[obtuse]

Since the Sysadm couldn't manage to maintain the systems, he timebombed them to ensure their reliability.

Bathtub curve

[alansingfield]

Typically, the reliability of a software follows the "Bathtub curve" -

\ __
^\_______--
| Faults -> Time

When very new (such as in Alpha or Beta) its likely to be wrong. Nobody's really used it in anger, so the real-world faults haven't been found yet.

When very old, someone may have found how to exploit obscure holes in it, or there's a better way to achieve the same task.

So rather than applying a single expiry date to the whole program, a better policy might be to apply the expiry dates per feature.

When a beta feature's code passes, it can be given a long expiry date. As each feature reaches its expiry, it can be reviewed, and if it is still satisfactory, the expiry date can be extended.

This way, you won't be affected by the expiry system unless you use the brand-new or unmaintained parts of the program - the bits that are most likely to go wrong.

Re:Great Idea - For Car Manufacturers

he wasn't being serious
it's sarcasm

Better idea...

[Russ+Steffen]

Don't expire, just start logging messages when the software has reach some predetermined age. Like, once a build gets to be a year or year and a half old, start logging a message to syslog ("Yo sysadmin, I'm kind of old. There might be updates. Look into it.") about once a week.

Just an idea.

Worst. Idea. Ever.

[CrashRide]

Well, maybe not. But it's close.

Expiration of Web Services?

[jwinterboy]

I agree that triggering an upgrade, or forcing users to remove offending code on their own is too restrictive, and against the spirit of Open Source, but ... isn't this something we'll all have to accept in the web services world? Regardless of whether the service is written for Mono, .NET, or Java, we will have to become accustomed to "upgrading" to newer versions, without our consent or perhaps even knowledge. Is there an acceptable policy we can come up with now to deal with this forthcoming issue, besides: (1) recompiling the source and having it reside on our own machines (which defeats the point of web services); (2) having multiple versions of every library available by the author for years on end? I see this more as an issue for the Open Source community than for the proprietary platforms, since their answer is likely to be to force the upgrade, without your consent or knowledge.

No, but...

[strombrg]

...but perhaps network-accessible daemons should check magic hesiod (DNS) records before servicing requests, disabling themselves if the magic hesiod record says "You're insecure. Go away".

I don't want planned obsolescence, independent of whether software is secure or not - that would MASSIVELY increase our workload here. But I wouldn't mind software that automatically turns itself off when the maintainer says "that version's no longer secure".

Sadly, there might be a temptation to use this for forcing upgrades that aren't security-related. That'd be a mistake.

It's possible there should be a config file that specifies how important security is to a site. If the config file says "security is priority 0", anything even slightly insecure is disabled. If it says "security is priority 100", only really critical stuff (like remote root) is disabled automatically. 75 might mean "remote, but not root", 50 might mean "local root", 25 might mean "local but not root". Maybe priority 200 should mean "never turn anything off, ever". Or something like that. Maybe there's no good reason not to use a larger maximum, like 2^31 or something - there may be a desire to squeeze more priorities in there, and it'd be easier to expand at the outset, and there's not much penalty for making it a wide range from the start.

If a service is already internet based, perhaps there isn't that much reason not to depend on the (cached) DNS in this way. If the hesiod records are cached, no big deal - that's still much better than running insecure forever. The maintainer can also control the TTL of his/her security-related hesiod records I suppose.

The config file should probably also say what to do when a yea or nay hesiod record can't be found, because someone could pound the maintainer's DNS servers into oblivion to gain access to your insecure stuff - for some that means "turn it off fast", while for others it means "Eh, it's probably just another machine that fell off the net. Service requests anyway".

This kind of makes a "is this version later than that version" comparison function desirable. Alas, software packages are numbered by many different methods, so there is no one true comparison function for this purpose. However, if a library is developed for this kind of check, it could include comparison functions for the predominant software version schemes.

I suppose the software should mail someone if it turns itself off. This could again be specified in the config file, defaulting to root@localhost, postmaster@localhost, and anyone else who seems distantly relevant. You might even wall the system about it if the admin was too lazy to specify an address for notifications.

Re:No, but...

[strombrg]

The config file should probably have an option for just syslog'ing instead of disabling, too.

Idea has some merit

[GMFTatsujin]

There's already been a lot of talk about what a bad idea this would be if every service on your box ups and dies because it thinks it needs to be upgraded, nitification vs. death, etc...

I don't recall anybody talking about what it's like migrating server *admins* though... If I'm coming in on a new admin job, I think I'd like to have some kind of system in place where I could run a check on everything running on my system and have it report version, install time, last modification to the config files, etc, instead of having to hunt everything down manually.

Here's my suggestion: Install a time-based notify bit with each new app or service installed on a machine. Make it part of the RPM manager or something. Make it optional - I don't so much care if there's a new version of Armagetron available, but anything that has to do with a critical security or connectivity service, yes, please. During install, I click a little option box that says "Remind me to look in on this service in a few months."

A few months later, the admin gets a notice - time to look and see if there are any patches to (whatever).

And if the server admin goes on to another job and someone else steps in, he or she can just query the application installer - how long has it been since the last update to the firewall? Or the Virus scanner? or whatever? His transition into the center chair just got that much easier.

I mean, with all the non-admin projects my own poor little admin gets stuck on, it's a wonder he can keep up with security issues at all. It's easy to get distracted from your actual job by orders from the people at the top who forget that you are, in fact, just one person. It's that devilish "other duties as required" clause that gets built into every job description...

Do it at the level of the installer, or the compiler, or whatever you use to turn a downloaded file into an executable thing. This time monitoring code is only relevant when somebody installs it, after all. And if the standards (if any are actually established) change, then every programmer in the world has to keep up on it... Let the programmers program the app. Let the admins admin the app running on their box. This is an admin feature. Let it be so.

GMFTatsujin

Re:Idea has some merit

[corps_inc]

Wouldn't it be more simple to apply your self to mailing lists that are interesting to you. I'm doing that, it works.

Apply to mailing lists of projects that you use to be informed of project updates, apply to major security site news for new security holes. Reconect to SMS on your phone and here is your reminder.

But your suggesting of self executable self implantable update files is bad. Admin *must* be present when update is in progress. It is even more preffered that admin is in charge of that update if something goes wrong.

Re:Erm, yes

[IdleMindUI]

Never assume that a system is secure, especially if it's just behind a firewall. Firewalls, like everything else, should be expected to fail.

NO!NO!NO! Re:Bad idea

[garyrich]

Hell no! Here in the land of Big Pharma we have this peculiar thing that they call "Computer Validation". It has virtually nothing to do with "validation" in the ordinary sense and more to do with huge piles of paper and endless meeetings than it has to do with computers. But, there it is. It means it costs huge amounts of $$ to change or improve anything. I have to regularly deal with stuff that's 10-20 years out of date (yes, including many of my cow orkers) because it's impossible to update it without making the FDA freak out. Don't make one more thing where I have to fight the obsolesence versus costs of re-validation battle!

Re:NO!NO!NO! Re:Bad idea

[corey_lawson]

You use opensource on validated systems? You are a brave one...

Re:NO!NO!NO! Re:Bad idea

[JWW]

I feel your pain, quite literally. I to work at an FDA audited location and we are delving into the EVIL realm of "Computer Validation".

The part I like the most, is that apart from creating all your own apps, its almost impossible to validate. Almost all (by that I mean I that there might be one that does) purchased software doesn't meet the Validation requirements. For stuff you make yourself you still have to cover the OS, the Language and processes you use, any minisucle change to the machine, etc. ad naseum.

To the other reply to this message, it doesn't matter if you try to validate Open Source vs. Closed Source, you're pretty much screwed either way.

This is way the proposed CDBTPA scares the hell out of me. Congress is actually suggesting that if Hardware and Software makers can't come up with workable copy protecttion schemes one will be forced on them. Judging by what the FDA has come up with for Software Validation, I am deathly serious when I say that what they would come up with in the CDBTPA's case would probably destroy civilization as we know it.

The software is NOT yours

The software is mine

You couldn't be more wrong. Sofware is NOT yours unless you wrote it yourself and you maintain all rights to it. The Linux kernel and the associated GNU utilities that make up a distribution may be installed on your box, but it is definitely not yours. You are licensed a copy, through the GPL. You may modify it, redistribute it, sell it, etc., sure, but you cannot claim ownership of it.

thumbs down

[room101]

Hate it.

What really sucks is when you maintain about 300 boxes that all are the same (think of a web server farm, in my case). They will expire at the same time, and you get 300 messages (maybe every 10 minutes like ssl certs do). Then, you have to upgrade all 300 within some abritrary time.

Of course, you probably have already upgraded to get security updates (unless you use IIS ;0), so this is purely hypothetical.

"Embedded" systems

[Just+Jeff]

Timeouts are a bad idea. I have several systems set up which are in remote locations, providing various straightforward services, which are not being maintained by anybody. They are headless, power up into an operational mode when reset, and would cause a severe headache if I had to visit them on a regualr basis for no reason other than someone else thought it would be a good idea.

Thanks, but no thanks.

About the only concession I'd make on this point is if there could be a configuration flag at compile time. If a vendor chooses to recompile utilities with the timeout enabled, that's fine, as long as I can recompile the same utilities with the timeout turned off.

I can see it now...

[mav[LAG]]

[root@owl.tyrell.com] /usr/local/apache/bin/apachectl start
Starting httpd - please wait...
How old am I?
^C
My birthday's April 10 2017 - how long do I live?
^C^C^C^C
Nothing is worse than having an itch you can never scratch!
^C^C^ZC^Z^C^Z^CZ^C^C^C^C^Z^C^C^C
Wake up! Time to die!
Starting httpd... [FAILED]
mod_leon died prematurely...
[root@owl.tyrell.com]#

Re:I can see it now...

[owlmeat]

"Nice server, too bad she won't live!"

Re:I can see it now...

This was not called execution. It was called "Enforced Maintenance."

What about daemon "Tron" like option?

[computer_space]

You could have the option to start a daemon that would check this. It could look at program metadata on regular intervals or when the program starts and warn someone every month that these programs are "expired". That way after 6 months of running a server with no down time, the "Tron" job would email the admin a report saying that these programs in the ps list have expired security dates and need to be replaced. Just a thought.

Why not...

...just have the program check for an update and inform the SysAdmin instead?
I'd much rather the software send me an e-mail every hour than have it suddenly shut off. UP is much better than DOWN!

Huh?

[PhotoGuy]

So instead of being slightly out of date, it will break completely. That idea is right up there with the lead balloon...

-me

First thing I would do is recompile it...

[gbrandt]

...and take the stupid thing out.

Gregor

Wrong answer.

[Snowfox]

The right answer is to have a cronjob entry that searches for important updates for any installed software and notifies the sysadmin.

This could be part of the package manager, or it could be a general purpose service of some sort that programs register themselves with on installation.

Or how about "Space 1999"?

Seriously, what's with all the sci-fi/fantasy analogies?

stupid - or maybe not

[doofus1]

by the nature of open source, what's the point ? I mean if I want to continue running it, I'll just code out the expiration part. As I'm writing this though, I suppose it's probably easier to update rather than hacking the code.

It seems rather lame though, if the software has been free from issues to make the user be proactive about going and disabling this.

Point!

I used an old secure thing
I just got rooted
I upgraded and learned stuff

Old things run well and are small
Just Firewall them off
We don't need to upgrade please

I'm not Microsofts Monkey
Don't force things on me
Look at their predicament

I want a stanza
I want another haiku
Oops I broke it

are they drunk?

[MikeyLove]

so instead of the possibility of security compromise, you have a guaranteed interruption of service? hahaha whatever works i guess... -mikey

Software Updates

[sunryder]

Why not rather build a better system for updating software? Perhaps an automated system of some sort that "patches" software as updates become availlable.

A feature like this could be made optional, so that SysAdmins of general users could turn it off if they wanted to. This would alleviate concerns that "Open Source is about not forcing you to do anything." and would also prevent mission-critical software from going offline while it is patching itself.

Programmatically speaking, a system like this sounds feasible. There would have to be some standards or for where updates could be obtained from, or "trusted" update sites.

Bad for un-maintained projects

[Kismet]

Go to Freshmeat sometime and click on "Random Project" a few times. You will notice that, of all the open source projects in the database, most of them have no vital signs.

It's pretty pointless to put any time-sensitive features in your product if, as chances may be, you probably will stop working on it at some point and won't have the interest or time to pick it up again.

Don't count on somebody else maintaining your code for you: the other interesting statistic on Freshmeat about most projects is that nobody else really cares about them either. Even once-popular programs tend to fade away over time.

My problem with this...

[Artana+Niveus+Corvum]

All too often I've seen software developers simply decide that they no longer feel like supporting/updating their project. I'd just LOVE to see all the turmoil when the developers of something important decide to drop their project and leave a 2 month timer inside... (dripping with sarcasm of course)

aside from that I hate being forced to do ANYTHING with my computer that I don't want to do... hell, it's my machine, I paid for all of the components, I chose which software to install... ::snarls and random growling::

To drive a car, you need a driving license...

[DocSnyder]

...to run a publicly accessible Internet server, no proof of qualification is required at all. In my experience, the worst security threats are neither open-source nor closed-source software, but the people who run it. Open email relays on Sendmail 8.8 (open source) oder Exchange 5.0 (closed source) with non-working postmaster recipients and dozens of open TCP/UDP ports show that their admins don't care at all about their system, they even seem to forget that it is connected to and reachable from the Internet. They will find it slow and unreactive, but they don't even have the slightest idea what could be wrong. Out-of-the-box systems which don't require even basic network knowledge are even worsening this problem - so if at all, include expire-features into these systems.

If providers of hosting and connectivity services require their customers to prove their knowledge with a standardized certification, the Internet would miss thousands of unsafe and dangerous systems, and upgrading server software will be one of the basic tasks of a qualified administrator.

AFAIR on the former FidoNet a few years ago my uplink really wanted to know if I was competent enough to run an official node, and FidoNet wasn't too easy to understand either.

Re:To drive a car, you need a driving license...

[wik]

I find it difficult to believe that a certification would make drivers any better. Here are some points to consider:

• Nothing stops me from driving without a license until I'm caught (this is similar to running an open mail relay until the spammers find it). Even then, nothing stops me from driving again. Remember, except for a few struggling ISPs, most are willing to take money from anyone who can pay.
• My driver's test was joke. I drove around a parking lot, stalled, and drove no more than 100 yards on a public street. I didn't even have to park. What would make a computer certification any better?
• How would you design this certification and ensure that it hasn't expired or is relevant to current software? Expiring a license happens over a known period of time (people will renew on the last day, anyway). How do you predict when something should expire for software? Unlike software, nobody updates cars to new, unfamiliar interfaces.
• Along the same lines, who would handle the certification? Most of my spam comes from non-US sources. Are you going to get every UN country to force its ISPs to enforce this? I doubt it.
• How do you make sure the person (or group!!!) running the machines actually is the same as the ones who set up the account?

I think certification is great for keeping honest, caring people honest and caring (why punish these people with a pointless exam?). I have a hard time believing that it'll help those who just don't give a damn.

Re:To drive a car, you need a driving license...

[j7953]

Driving a car can endanger the lives of others (and your own). Running an internet server cannot. You also are free to use public roads and to get somewhere else without having a driver's license, at worst, you'll have to work. This possibility wouldn't exist on the internet if I cannot run a web server without a license.

If you're requiring a certification, you'll also be killing of many independent, grassroots web sites that maybe couldn't even afford a certified administrator. There are good reasons why you don't need a proof of qualification to be a journalist, print a newspaper or to hold a public speech.

If providers of hosting and connectivity services require their customers to prove their knowledge with a standardized certification

With that, however, I sort of agree. I don't think requiring a certificate will be a solution, but providers should have (and make use of!) clauses in their contracts that allow them to firewall open relays, servers that propagate viruses etc.

Re:To drive a car, you need a driving license...

[j7953]

get somewhere else without having a driver's license, at worst, you'll have to work.

Err, walk, not work :-)

In related news...

[thrillbert]

Milpitas, CA 4/3/2002

Following the leadership steps recently left behind by such visionaries like Steve Christey of MITRE, Chris Wysopal of @stake, Inc. and Jon Lasser of SecurityFocus, thrillbert of Slashdot fame, today introduced an initiative that could have far reaching effects on the slashdot community. The Anti-Troll-Multiplicity Initiative (ATMi) is aimed at minimizing the size and number of troll posts allowed on slashdot.

"It's ridiculous! I have to go through at least 80 troll posts to get to the +5, Funny posts." remarked thrillbert, "this new draft would give all trolls guidelines they would be required to adhere to, or suffer being called Uncooperative Trolls".

When we contacted CmdrTaco, he was quoted as saying "umm.. heh.. heh.. I dunno". No other slashdot representative was available for comment at this time.

---
Ever found something in other than the last place you looked???

How about an alternative.

[Restil]

Instead of expiring, how about building into all
network code the capability to check for upgrades based on security holes. On a daily, weekly, or so basis, the program itself could check an internet database to see if there are security upgrades available and if so, NOTIFY THE SYSADMIN, and continue to notify the sysadmin until the problem is fixed, or the warning disabled.

I always check on my programs to see if they're up to date, but I miss some every once in a while. Its a pain to constantly keep track of everything all the time. If the programs themselves did this work, it would be a little less hassle.

And if the programs are unable to access those databases due to a lack of internet access, then it doesn't really matter anyways.

I'm all for bugging the crap out of sysadmins who are running exploitable programs. In fact, I'd imagine most of them would upgrade to fix their problems if only they were aware of them. Some won't obviously, but at least this is a saner solution than to have perfectly working code suddenly stop working just because there MIGHT be a problem with it.

-Restil

What about UCITA?

[dangermen]

If I am remembering correctly, doesn't UCITA imply that software's respective authors are responsible? If that goes through, the expiration idea is out the door. Can you say, detrimental reliance?

Lemme get this straight...

[coupland]

So the question is whether people will prefer this? The answer is that the people who regularly update their systems will likely think it's a good idea as it will prevent anything from slipping through the cracks. But the lazy ones will still hate it because (as with all the other mechanisms they ignore) it forces them to pay more attention.

Seems kinda silly to me.

Expiration on humans

[norvillerogers02105]

BladeRunner replicant nothing, god has set us all to expire, and even pay taxes now. So go procreate so we will have Human version 10,764,231,441. Even MS will never get that high on versions.

Good idea

[Jucius+Maximus]

Let's say that the 'time-bomb' is in the source code (easy to disable) and also present in the binaries. If the user has enough knowledge on how to get the source code, disable the timeout, compile it and use it, then they probabably also know enough to update it with security as necessary. Thus, people who really do know how to administer their box can handle it in any way they want.

If the user only knows how to handle binaries, then they have proven that some hand-holding is necessary and thus the software will do some of the 'work' in keeping the user up to date.

So as long as the user is knowledgeble enough about the ways of advanced computer useage, they will have the ability to do anything they want with Free software. If they need hand-holding, they will get it whether or not they want it (until someone recompiles it without the timeout.) This also might encourage them to educate themselves in the ways of coding, thus making them more knowledgeable overall.

patch fix

Compiling from source you could apply one the patches that would inevitably come out to remove the self-destruct code. It's more difficult to coerce users of open source than users of closed source binaries.

Have the software check for updates

[crovira]

and inform the user/owner.

That means that software has to be connected (there's NO such thing as a security hole if you're unplugged,) and somebody (a university somewhere, or Kagi, or another commercial entity that charges software producers who can pay [not free ware] a tithe,) has to set up a registry for ALL software.

All systems should run over the net to the registry once a day and see if there are any updates to ANY installed software and when there are, inform the root and/or the system owner. S/He'll then have a decision to make.

That also means that only legal, registered copies can request updates, patches and fixes and if your system is illegal and unregistered, you're on your own.
Simple enough, just send all those registration cards to the registration point and you can check-in. Don't and you can't.

Why not use the effort to audit code?

[apeman]

Quit thinking like Microsoft, and just spend that effort elsewhere, like eliminating potential threats, temp race conditions etc?

Honestly, there are times when you can't upgrade a machine. Sometimes another application would rely on an older version of sometime.

I see where the idea is comming from, its just the wrong way to do it.

arbitrary fail dates

[cigarky]

While I agree that everyone wins when sysadmins take an active roll in security (except crackers), but what if the new version of software isn't ready by the arbitrary date - or has no software ever missed it shipping date before? :)

Re: Erm, consider the necessity...

[pla]

I too use the same security philosophy (as the post to which you responded), that anyone who can get by my firewall basically has the run of my LAN. I don't excactly open up all my internal machines, but I don't lock them down to unuseability, either.

Some people consider this a Very Bad Idea. I understand the down side (namely, if someone gets past the firewall, game over), but look at it this way - Literally every day, someone discovers a new security vulnerability. Now, I can either spend a few hours every day researching these and deciding if they apply to any of my machines, or I can just skim for the really bad ones and those affecting the very few programs my firewall runs (Basically just a 2.4.x Linux kernel and an sshd... Fairly easy to watch for updates).

Also, you may want to consider the type of network involved... I refer to a home LAN consisting of a few Linux boxen, a W2K box (face it, through no fault of open source, many webpages have far too many IE-isms to work properly in Mozilla/Konqueror/Opera/whatever), and a networked printer. My only "users", (aside from myself, the SO and a few friends), only surf the web, check email,and occasionally ask me to install a game for them. Aside from my file server, I could completely reinstall any box I have in an hour. I suspect many /.'ers fall into this same category.

Incidentally, I do recommend (and use) *one* internal security measure, more of a CYA than actual "security"... I keep *everything* beyond base OS installations in a mirrored encrypted filesystem my file server. If ever Big Bro comes knocking and rounds up my PCs, they can ask nicely for the passwords I just happen to have forgotten, but good luck otherwise.

Q: Should Open Source Software Expire?

A: No. Next question.

Bad security too

[Zeinfeld]

The assumption that newer versions of programs are more secure is simply wrong. I have had several systems break after someone replaced a verified secure piece of code with an unverified insecure one.

Case in point was when someone decided to install the latest version of sendmail with the usual horde of bugs over a version of QMail.

The biggest problem when someone downloads new versions of software however is that they are typically installed with the wrong defaults or insecure defaults, or they blow away parts of the security profile to allow them to be installed.

The type of system build I would typically use probably has less than 10% of the typical Linux distribution. The eliminated portions are gone for good reason - if the feature isn't needed it goes. So having someone reinstall the components I have removed is a major problem.

The other issue to beware of is any form of automated update that does not have very stringent controls to validate the authenticity of the replacement code. Otherwise the update mechanism becomes a potential backdoor. Don't believe that downloading the latest source via FTP is the solution either. All I need to do is poinson your DNS and you are downloading the version with my trojan.

What is needed is some form of software resource database that keeps track of the version of each software package installed, differences between that and the standard installation etc etc. Ideally there would be integration with something like tripwire. The ideal would be to have the type of mechanism that the .NET security framework has in which you can require software components to be signed by an authorised source in order to run.

Building and maintaing such a system would be very tedious and expensive to do well however, if it isn't done well it is no good.

The sell by date proposal is simply clueless, the guy does not appear to have much real security experience, he is just repeating the dogma.

Re:Bad security too

[CAIMLAS]

If I'm modifying your DNS, you've already got larger concerns. Debian's package management system is sufficient for what you're talking about, as well. A simple, 'apt-get update; apt-get upgrade' will update your system to the latest stable/secure release available.

In most cases, this will keep your system secure.

UBER BAD IDEA

[JebusTheImpaler]

If anyone ever put an experation date on open source code, they should be knocked upside the head with a blunt object. The onus is on the sysadmin, not the friggin' coder. The leason in this is: don't be an overzealous twit. People can't be that stupid, especially if they are using open source stuff ;-).

Setting the foundations for a great new DOS attack

[ibis]

Where someone develops an exploit to set your forward and expire all your software.

What?

[1155]

Why not auto-update?
Why not windows-update?

You know, when I want to update something, I will. But when dns is critical to my situation, and hole number 8000043 comes up and needs to be patched, I need to test it first, before I ruin my bind and decide to blow all my customers out of the water.

dumb idea

[evilpaul13]

"If it ain't broke don't fix it"
That idea is still new to some people I guess.
That, and it would make OSS less attractive to businesses that don't want downtime, and don't want their secured software updating itself to a potentially unsecure new version. "But what if a security hole is found!" Well, that's what a Network Administrator is supposed to be aware of. There's no cure for people who don't know what they are doing.

Note to slashdot editors: Don't accept story submissions from Microsoft staffers.

Already does.

Windows 95 had to be re-installed about every 6-8 months in a heavily used environment, because it self-destructs and crumbles apart. NT Server 4.0 fares much better, we had one Compaq Proliant that was installed with NT4 in 1997 that did absolutely nothing but serve network printer queues and has not had its configuration altered in years, however it finally came down with the operating system equivalent of Alzheimer's or CJD/BSE last autumn and we had to fdisk/format/reinstall to fix it. The other four NT4 boxes that were installed at the same time and got a lot more varied operations and configuration changes during their lifespan only lasted from 2.5 to 3 years before they suffered nervous breakdown. Now we plan on a re-install every 2 years of continuous operation.

Imagine a Beowulf cluster of these!

[FrozedSolid]

One by one you have to recompile the kernel on each computer as they "expire." Could be worse, the nfs server could expire leaving all the nodes unable to boot. Expiring software, great idea eh?

Take a pill

Have mental health problems? Take a pill!

While I agree with the rest of your post, and I think some people are using medication to solve the symptoms of their problems rather than fix the cause, I myself have a mental illness that is almost entirely chemical based, and therefore is impossible to treat with anything other than medication. Sometimes the easiest solution is the right one.

Re:Take a pill

While I agree with your point that pills are many times necessary to solve mental health issues, there are several other health issues where people abuse the ability to "take a pill", specifically obesity.

Family practice physicians are constantly barraged with requests for something to take to lose weight. The best response is to take a walk.

Great new DOS attack

[ibis]

Just think what happens when an exploit is developed to set your *clock* forward.

ha!

[jjoyce]

and ruin my uptime?! no thanks!

Other solutions...

[Polo]

I believe there are other solutions.

For instance, some cars will tell you when they need maintenance. I don't remember if it was honda or bmw that would cover over the odometer when an oil change was required.

There could be a message that appears:

This system has gone more than "x" months without a security update. Please remove /etc/security.snooze to go another "x" months or update your darn packages. "x" could be larger for openbsd and shorter for anything that depends on smoothwall ;)

Another solution is the way the (commercial) redhat network works (I don't work for them, I'm a subscriber). I get periodic updates about the packages with security holes. I'm not sure if the email I have is tailored to the packages on my machines, but I can easily check to see what machines are up-to-date and what machines aren't.

Also, I can see "expiring software" being used for evil. Let's say a little company open-sourced some software, and it expires. When you go to download the latest version, you find that they've forked off a pay version and don't support the free version anymore. etc...

Also, maybe updating your software could be a way for people to compromise systems when they update.

Just some thoughts.

Overridable

[decep]

If it were a default setting that could be overriden, then it might not be that bad of an idea.

A better idea...

[wedg]

...would be to have expiration dates on the administrators... if they don't update the software often enough, they get canned.

Let's hope that security professionals don't start down the path of Technology Is The Answer that the MPAA and RIAA have chosen. The parallels are too obvious to ignore.

Gnucleus

[sean23007]

Gnucleus has a better setup. Each time you load the program, it checks the gnucleus server before connecting to gnutella, and if any part of the program has been updated, it informs you of the update and tells you a little something about the update, what it will do for you, and then asks whether or not you want it. That's not a bad idea.

Re:Gnucleus

[Tazzy531]

But the question is..would you like your mission critical web server to do this? Who is responsible if the upgrade conflicts with an unique configuration for a certain company...

People should not have to be forced to upgrade.

Linux is rotten

Linux 2.2 has long passed the spoilt milk
stage. It should be eradicated with prejudice.
In fact, even leenux 2.4 or leenux 2.5 isn't
much better. leenux is still no good. For
desktop, run Windows or FreeBSD. For servers,
run Solaris or FreeBSD.

what about...

[GutBomb]

what about once thriving, but now defunct software? what happens when it simpl ceases to function, and there is no new version to upgrade to because the project has been abandoned, or bought out by a large company and turned proprietary? I can just see tons of NuSphere's coming in trying to buy up all the open source projects that are about to expire, just so when you have to upgrade, you also have to pay them a stinking $299

People would 'trick it' I'm sure..

[gatekeep]

Great, so now instead of people running old software, we're left with people running machines with the wrong date/time in order to fool the software into thinking it's still within it's life. Is that really progress?

Re:Great Idea - For Car Manufacturers

[dgb2n]

Yes, I was being sarcastic.

I don't know how to feel. I'm happy it got modded to 5 but I'm a little sick to my stomach that it got modded up as "insightful".

Why not hire someone with a clue?

I dont think software should be attempting to second guess what a sysadmin is doing. If their apathetic enough or dumb enough not to keep up to date, then they can only blame themselves if they get hacked.

If there was a time bomb in software, then that would mean the software would definitely be useless in, say two years, instead of POSSIBLY having a bug that MIGHT cause a problem.

Bad idea

[wisemat]

While a periodic reminder to update embedded in certain types of software where interoperability was key would not be a bad touch at all, being forced to update it absolutely terrible. The reason I use opern source at home is because it gives you freedom(libre). This would take some of it away.

Logans Run

[micromuncher]

Its not Blade Runner...

Anyway, very bad idea, because the savy would comment out this check.

I still run an older version of because patching it also means completely upgrading the version of linux on the remote P120 with 48M RAM it is on... I dont want to go through that pain.

B.

Re:Logans Run

[T-Punkt]

No, it's Blader Runner. Replicants have an inbuilt lifetime of 4 years, i.e. it was an artificial design limitation - after 4 years they simply die (as Batty did).

In Logan's Run people older than 30 (in the movie) years are killed, that's something different.

So the Logan's Run aproach to this idea would be a cron job that searches the filesystems and deletes old executables (similar to the sandmen in Logans Run) instead of putting a date check into the code.

NOTICE: this version of slashdot has expired

[dilvish_the_damned]

Or sendmail, KDE, reiserfs.

NOTICE: this version of brandA network driver has expired, to reenable your network driver, download the latest version from www.brandA.com imediately.

Bullshit. I thought this died with shareware?

Re: What if...

What if there isn't a newer version of software when the one you are using expires??? What happens then? Is it time to bring out the old hacking tools...

notification system

[asv108]

Instead of having program expiration, what about a notification system that is package independent so it works with all distros? When the system is booted up the user is alerted to new updates automatically. The app would have a link to download the update via the web and also have a link to the distro specific package updater. You could even have a modified version for corporate lans so update alerts for multiple boxen get sent to the lazy sysadmin's system.

Wrong and Evil

The software should not expire. This feature could be implemented on distibution level (it pretty much is in Debian), but the software itself should not worry about the updates. It's the administrators job and the distribution can give him/her a hand. Forcing upgrades is wrong and evil.

and it's generally a bad idea

[thasmudyan]

Automated expiry is stupid. Software devlopment (and companies) is unreliable. You're absolutely right, products can cease to be supported any time. Even with Open Source.

Another obvious reason is that you should not include self-destruct functionality for software that is going to be used in a production environment. I know some people will disagree but I think a badly patched server is still better than a dead server. (Hell, some equipment is only accessible via remote network tools. So what if the network code or the remote control software expires. This is irresponsible.)

A much better way would be to automatically NOTIFY the admin when a product is out of date.

If you want to take that one step further there could even be an automated update daemon - i don't know - but that's very likely going to have security issues by itself.

Code that deactivates a running production system without admin input is definetely not an option. (Well maybe on a MS server, but that's another story entirely.)

The Resbonsibilities of SysAdmins

[MoneyT]

Last I checked, if the SysAdmin was in charge of a critical system, it was his responsibility, nay, his very reason for existance, to ensure that the system was secure. Every book you ever read on UNIX or Linux that is written for SysAdmins tells you that you should be constantly monitoring your software and checking for patches and updates. If I let my software go old, it's for one of two reasons:

a) It does what it needs to do and there aren't any security flaws I'm concerned about

or

b) I don't like what was added into the new version

either way, the desicion to upgrade or not is in my hands, not the programer's and that's the way it should be.

Bad Idea

theres an old saying
"if it aint broke dont fix it"
not every program needs to be upgraded.

man at

[pHDNgell]

at is a perfect tool for this. No software modifications need to take place, people can use it any time they want, etc...

Example:

echo "Hey, look into upgrading Apache on this host." | at now + 2 months

Re:man at

[Warped-Reality]

A better way would be to mail the sysadmin at a specific date... it woudn't do much good to echo somehting out of the blue if you're, say, making a tar backup and have a huge list of files whizzing by the screen.

No

[rjamestaylor]

If MS put code in WinNT4 or Word 95 that caused it to stop working at x-date people would be up in arms (I mean guns, not prosthetics), businesses would forgo MS products, sentors would hold hearings and congressmen would play golf (they *always* play golf). Even if MS made a case that the cssrs.exe bug in no-longer-supported NT4 meant it should then flip the switch and disable WinNT4 from ever operating again (assuming that it'd be possible; how do you know it isn't if you don't have the source?) they'd still be lambasted for such a policy.

I didn't come to Open Source to be told what I can and can't do with my system(s).

Like Mozilla?

[anthony_dipierro]

But what about when you get the "mozilla-syndrome", where updates don't come around as fast as the timebomb interval?

N.B.: The Mozilla build you are using was made more than three weeks ago. If you are going to report bugs, please download and use a newer build.

Umm, yeah, it's more than three weeks old, but it's also the newest version...

Re:Like Mozilla?

eeeeerrrrrrr, no.

The latest Mozilla build is from last night. It's called a _daily_ build. Learn it. Know it. Love it.

Missing the point of Blade Runner

He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

Apparently, he didn't pay much attention while watching "Blade Runner" or he would realize that a major theme of the movie had to do with the act of "expiring" the replicants being WRONG. Expiring software is an equally flawed idea.

Re:man at (whoops)

[pHDNgell]

Whoops, meant to hit preview and accidentally hit submit. There should be another echo in there:

echo 'echo "Hey, look into upgrading Apache on this host."' | at now + 2 months

circular problem

[galego]

You have to install a backdoor-aint-that-a-security-hole-too to allow an updating system to tell the software that it's not secure anymore...

Oooh! I got it though...your backdoor password could be something really cool and cryptic like NetscapeEngineersAreWeenies

What's wrong with these SECURITY WANKERS?

First we have @stake sell out in the worst way imaginable, trying to get us to confirm to Microsoft doctrine.

Now we have SecurityFocus trying to turn our software into Microsoft product.

FUCK!

Sounds like a US Congress Solution

[dbretton]

Let's protect the people from themselves!

This is a company problem, not a software problem

[Jormundgard]

Stupid idea. Just make the sysadmins liable for updating, in a "lose your job" sense, not "let's sue them" sense. Those who do the hiring and firing need to be up to date on whether the software's up to date (Ha ha). Naturally, the supervisor only checks when something bad happens, and then heads roll. But I guess that's the way business is.

Bad base assumption

All of this is based on the assumption that totally nofunctional software is preferable to software that might have some problems.

Worst idea I have heard in years.

Oooh, you could have a lot of fun with this...

[yorgasor]

Let's say the software timebomb is configurable, and the admin can change it. I can just imagine a BOFH admin who knows he's gonna get fired soon force himself to reset the expiration date. Shortly after he gets fired, *BAM* the system stops working (he'd get extra points if he was able to make it change the root passwd when that happens too).

Ok, lets say the configuring the expiration isn't available. You're just a poor guy out in the middle of Africa with no internet connection, and your friend mailed you a linux CD. The thing expires, and now you have no way to update your system. You have to wait a couple of months to get another CD from your friend.

Or, let's say you get owned by h4x0rs. They don't need to mess up your filesystem, or trojan your machine. They can just take things down by changing the date to some time in the future.

Warnings are fine. Heck, if you really wanted something useful, make some kind of update daemon. Register your software with the daemon, along with some site to look at. Every time you connect to the internet, or once every so often, it could cycle through all the sites and generate a report. Notices for feature updates, Warnings for potential problems or major bug fixes, and Critical Updates for major security flaws. Then the admin will have the choice to act on this information.

dumb idea.

Old open source software like that already has an expiration date to it. It's just not carved in stone. The thinking is that if a lazy/incompetent sysadmin lets it lapse, sooner or later a cracker/kiddie will come along and cause that system to cease functioning.

White/Black lists would solve this problem...

[ComputerSlicer23]

If I were a redhat guy, judicious use of

( rpm -a -q && cat /path/to/blackList ) | sort | uniq -c | grep -v 2

would list ever package on the black list. Now all a person would have to do is make sure the list is kept up to date. You could do the same with a white list, but it would be a bit more difficult then. Both have upsides and downsides. For remote attacks, a simple script that does the attack would probably do the job. A lot like a Satan does, or netsaint. I haven't kept up with either of those to know if they are still any good. It would be easy for RedHat and/or Debian to create a tool that will allow you to check outdated versions of a tool yourself.

For custom done scripts, use file, see if the it is an ELF binary, do a MD5SUM of it, then check a known list of MD5SUM's that are bad binaries. Okay, that really screws anybody who compiles there own and the tool puts in the name of the machine or __DATE__/__TIME__ or some such.

However, if you had a trusted source for binaries, it would work out quite well. Naturally most security oriented people compile their own. But then again they don't have these problems, they keep up to date.

Kirby

Re:White/Black lists would solve this problem...

[ComputerSlicer23]

Uhh, that should be: ( rpm -q -a && cat /path/to/blackList ) | sort | uniq -d Sorry, didn't think long enough about it long enough. That will work on a RedHat machine. Gotta have access to the RPM database though.

I vote for "Hell, no!"

[fanatic]

Sorry folks, this is a complete non-starter. I decide when I'll upgrade, not some programmer who can only hazard a guess as to when it will actually be necessary, or when I will want to. Like I really want my system to just stop working for no good reason - if that was what I wanted, I'd use Microsoft.

Ow.

[TheZork]

I hate showing up after the party is already winding down.

Ow. The thought that someone could even conceive of this principle hurts my brain. Why do you think so many law firms still use WorPerfect 5.1? It's fast, the cost has been amortized, the templates have been in place for years and the thing just works. If there is no impetus for upgrade, why bother?

This is a lot like term limits for getting rid of politicians. Doesn't matter how they're doing - we don't have time to figure that out and use our vote to replace them - just boot them out before they exercise that stored potential to screw up.

What is this, a freak show?

[blackwizard]

Try to get your hand in that position. I dare you. (All of those ()s are fingernails, right?)

Re:What is this, a freak show?

[Anonymous+DWord]

Sure. Use your right hand, and look in a mirror. Or find a friend to do it.

What do you do when?

[SnarfQuest]

What do you do when your tcp/ip stack expires? You won't be able to download any upgrades because you need ftp access to download the upgrade, which needs the tcp/ip stack.

Why expire? Upgrade online!

How can you calculate such expiration period? Predict? Based on which information?

Much better to update when new critical update is available. M$, Apple already have such service embedded in the OS.

OSS should use the same idea in OSS style - we should standardize a protocol and local API for such background procedure, which should run at the boot time (and later by crond) and then check online for available updates for all its packages-subscribers. If update is available - either send a notification (syslogd, email) or download and send notification. Who are subscribers? Software packages included (registered) in the config file of such Update-Checker.

It is very simple idea. And there are already some similar proprietary services in some of linux distributions. They are incompatible to each other. So all we need is just come to some agreement about a local API (how to register-subscribe packages for online checking) and a protocol (i.e. should we use some LSM descriptors from FTP servers or we should run some notification daemons where developers can register their packages and trigger availability notifications).

Bad idea, very bad idea

[franknagy]

No, no, no...

This suggestion has no appeal at all to me and has the wiff of the sleaziest software vendors I have had the misfortune to deal with in the past (commercial software, not shareware). While I understand coding and end time in shareware UNTIL THE PACKAGE IS REGISTERED, I will not buy time-limited software for myself or for my employer. I'm afraid I would apply the same rules to Open Source Software even if free.

One reason is that such end times have the distinctly Murphy-like ability to occur at precisely the worst possible time.

Does it matter?

This what Open Source is all about? If one developer wants to force their code down our throats, we can just go and disable the expiration code. It'll take some time, but it's not like the app dies forever.

just log it

[martinflack]

My 2 cents:
/var/log/oldage
(warnings only, software continues to run)

no, how about you just fuck off....

anyhow, nobody would ever get the shitty crippled binaries. All of the distributions would give users the crippled binaries.

I vote No.

[Mustang+Matt]

I see the advantages, but what if there are stable releases of software put out that expire?

Some people like to build a nice solid stable reliable system and let it go.

Besides, do you people really think that all those open relay machines are accidently left open? Yah right. Those people are getting paid well to leave them just the way they are.

another ultra-stupid idea on slashdot

Fuck, who thought up this one? A 12 year old irc kid? This has got to be stupidest thing I've read on Slashdot in at least week. Anyone that works in a real production enviroment can understand why, and anyone who doesn't manage systems in a real enviroment can fuck off... your opinion doesn't mean SHIT.

Newer version doesn't always mean better version

[motox]

Ditto.

one word qmail

[posix4]

qmail

OSF, anyone?

[lanclos]

Digital UNIX does this already, except it's part of their licensing program. If you don't keep your licenses up to date, the entire system basically shuts down.

It's a royal pain, especially when you've got a highly diverse computing environment.

Bah, I want CONTROL dammit

[OzJimbob]

Sounds like a bad idea to me...as far as I'm concerned, I should be able to run whatever software I want on my computer. It's my processor, I can jam whatever code and data through it I want. This is almost as abhorrent as all this new "forced security" stuff that's in the news lately.

I've had some BAD experiences with auto-expiring software. I used some free scientific software that expired at a certain date, forcing you to upgrade. BUT, of course, the guy writing the software (which was free but closed source) had dissapeared off the face of the web, meaning the update didn't exist...the software was rendered completely useless, and the world had lost a valuable piece of information and creativity.

Remeber Broadcast 2000?

[evilviper]

After a long period of deliberation on the matter, Broadcast 2000 has
been removed from public access due to excessive liability.

Fortunately, we put in an obsecured experation date, so our software won't work for long! And for those of you that really NEED it badly, we're now selling closed source copies of the software for the low price of $500,000.

Reminds me of the "or any later version" clause in the GPL... Assuming the developers don't know enough to choose an appropriate license for their own work, and sneaking in something to give yourself that control instead.

It's a GREAT IDEA

[Jack9]

It's a great idea; software expiration. Not so much that it's disabled, as much that it should notify when it's out of date. Saying saying "open source" is kinda pointless. All software could use this concept whether or not their code is "open source" and saying "should" is always wrong when making a suggestion.

Picture This:

[lommer]

Some big time company (eg Corel) begins publishing software for linux, potentially eventually even publishing their own distro. They incorporate this expirey date bullshit into it. Then a few years/months later one of the following happens:

1) The company goes out of buisiness and then your software expires and you are SOL. Especially if the software you used to encrypt all of those important files on your hd expires.

2) The company decides to back the RIAA and implements some form of Digital Rights Management into their next release. Don't want it? too bad, your software just expired!

3) Something else horrible happens...

Here's an idea....

[grape+jelly]

I think having software "expire" is a horrible idea -- a lot of people I know like to use software that's been out for a while to make sure there are not obvious security flaws. Instead, since security concerns are primarily centered around networked machines (more specifically, ones connected to the Internet), just have the software periodically (weekly? monthly?) connect to some server somewhere and check for security updates.

Yeah, its a bad idea

[almound]

Not that I'm the only one, mind you ... but if anyone's counting ...

Yeah, its a bad idea. Stinko! An idea about as prone to the law of unintended consequences as I've ever seen anybody from the open source crowd make. And that's just for starters.

You can't force anyone to change anything. You can't force anyone to change anything! You can't force anyone to change anything!!

You have to make them WANT to change. But don't think they're going to do it next week. That's just not the way people are. STOP fighting their natural flow (or lack thereof). Be a bit more mindful of the Tao.

"Grasshopper, if user sits like a lump - then you must find a way to use this inertia to your advantage. Your life will go much better that way. "

What am I saying? Its this, don't depend so much on upgrades.

No, BAD IDEA

[erroneus]

What this idea proposes is the SysAdmin's version of the "snooze button."

It doesn't matter what measures are implemented. Good sys admins will do what they should and bad ones won't and will find ways around it. If you're one of those people, get a different line of work and let some of those unemployed sysadmins have a crack at your job.

Chew on this...

[hateddamntruth]

Sell me software that expires, and it will be the last time I buy from you.

Bad idea

[Diamon]

Wasn't planned obsolesence in MS products one of the reasons to support OSS? So we'll go them one better and give you forced obsolsence, thereby increasing TCO and playing into BIlly Gate's hands.

No

[chompz]

But, I would tolerate a package which manages executable binaries. Keep track of all the binaries on the system and periodicly check bugtraq for problems. No need to refuse to run, that would be silly, but popping of an email to root about the recently discovered hole in openSSH would be not too bad. Its a real pain in the ass to sift through bugtraq looking for things which need fixing, but it wouldn't be too bad to have a program do it for you. At one point in college I was accused of hacking a machine because I notified root that thier glibc from redhat 6.2 had a local root exploit. They never did fix it, because they said it would take to long to rpm --install glibc-xxxxxx.rpm

Stupid idea

Sounds an awful lot like what Windows XP does. Expiration of software's value to a user should be determined by THAT USER.

Absolutely not

What about when congress decides that all new software must include copy-protection, and your old, usable software expires?

>or knowing that on such and such a date you wont >have to support Netscape 4

So what do I run on my SE/30 to browse the web?

RPM DEB etc

Why not just build it into a package manager that can access an ftp site? e.g. "SSL needs updating. Please click OK to update SSL". Better than "I'm sorry Sir, your anal probe results were lost because our software has expired. Would you mind bending over again please?"

This would be GREAT for embedded systems...

[fawcett]

Just imagine,
It's 4 A.M.,
you're wake up to the sound of alarms going off in your kitchen.
You rush out of bed to see what the hell is going on...
The LCD panels on your fridge, microwave and toaster are all blinking GNUppliance Panic! CODE EXPIRING!!
Twisted pair cables shoot out of all your appliances, groping your walls blindly in search of a network drop so they can update their firmware...
I bet the Maytag man ain't snoozing in his chair tonight!

Open Source -- Hello?

[kenthorvath]

Yes, not to mention the fact that the idea behind open source is that you can CHANGE it to behave how you want it to behave. If I don't want it to nag me, it won't. Let the sysadmins make the call. Make it strictly opt in at compile time.

Critical Update Notification

[virtigex]

Windows has a Critical Update Notification application that keeps popping up a notice every few days when they publish the fix for the latest gaping sucurity hole.

OT: Debian

[i_am_nitrogen]

Speaking of debian... What is the name of the ncurses package? I want to apt-get install ncurses so I can build a kernel with menuconfig, and it says that it's in the database but doesn't have a package. (This is a pretty bare bones installation; I was surprised when ncurses wasn't already installed)

Re:OT: Debian

apt-get install libncurses5-dev

Re:OT: Debian

[nvainio]

Debian package search will help you.

In my system (Debian testing) I have libncurses4, libncurses5 and libncurses5-dev. I'm not sure what really is needed.

Use apt-get simulated installs to update Red Hat

[Nailer]

On some of the Red Hat 7.2 boxes I administer, I run a nightly apt-get update and then apt-get update -s, which performs a simulated install and then mails me the output.

This way, I know when a new Red Hat update comes out, and have some idea about how successfully it will install on the system (generally OK, using Red Hat main, updates and freshrpms in my sources.list).

If you run Red Hat and you haven't discovered the joys of installing RPMs with APT, then I suggest you try it. You'll wonder how you ever got on without it.

You say it sister!

[donscarletti]

I chose open source because It lets me do what I want when I want! If I wanted some stinking softwhere that thinks it knows how to administer MY COMPUTER I would be running windows and taking my orders from a paperclip. If you want to have your computer to tell me when to upgrade I may as well pay attention to the warnings I get about non microsoft cirtified files being downloaded off the net.

p.s. I happen to like antiquated technology. Did anyone see that episode of red dwarf where kryton get's superseeded? It's a bit like that for me

I have a much better idea!

[doc+modulo]

Your (Open Source) software should check a website every month or so, to see if there are still no vulnerabilities discovered for it.

If there is a known vulnerability for that program, the website will put that info on as content that is readable for that program, this is Also known as XML web services. The program can look for a certain XML tag to see if there is a vulnerability discovered for itself.

The content of the XML tag should be: "yes there is a hack" in addition to: "the hack is possible on versions x.xx - x.xx"

This method of providing a service would be the 2nd great way to make money off of Open Source software, because you don't have to make that XML tag viewable for free. You can ask for a fee to let people use your web service.
In fact, it's easier to provide this service to OS software because you can view and edit the source without having to contact a company for permission/negotiations first.

Ofcourse this "Vulnerability Info Module" (let history show that I coined the phrase :P) should be optional both during compile time and during the actual use of the program. OS programs that don't have the option to have this module switched off would probably be forked.

The possibility of forking OS programs would also be the mechanism that prevents a "Vulnerability Webservice Website" from hijacking the code written by others (making it only work with a paid-for module inside the program).

Because this service is easiest to implement for Open Source programs, it would mean that Open Source programs would be even more safer than Closed Source programs.

How about giving money for bugs found to programmers? The webservice company may be willing to pay money for that, to supply it's business with a steady stream of valuable info. That would creat a 3rd way to profit from Open Source programs.

Yes yes, *smug* I know I'm giving this splendid idea away for free, you may praise me now.

Tunnel vision

[ishmalius]

Just a typical opinion from some guy that has been in his niche so long he thinks that it is the whole world.

The best feature of OS software is its ability to be debugged to such a degree that it is far more stable than a commercial product. Should we break its back for the mere purpose of making a security drone's job easier?

This is nutty!

[Moneky-Boy]

So when they actually get to use it you will have some yahoo thought a price tag on it. Besides it's the companies damn fault for not hiring good sys admins! It takes more than just reading one book to be a sys admin.

Not a new practice

[stonecypher]

For example, OmniHTTPd has been doing it for over half a decade.

Those networks are like delicious...

YUMMY!!!!!

Haaaard crunchy outside...

Soooooft candy center...

*drools*

denial of service

[c0d1]

Are you saying that someone thinks it's a good idea to build in a huge denial of service bug into every piece of open source networking and security software?

Is this guy on Microsoft's payroll?

How about this. He can build the little wrapper that does this and break his own programs if he wants; he can even make a patch to allow people to ./configure it in, but this bug should be left out of my binaries as well as the standard distributions.

Just imagine the nightmare of combining this bug with standard distributions. All of the sudden, all of my servers die at the same time.

I would love trying to explain this at work. "Uh, yeah, sorry. No one can get work done while I update all of the networking binaries with the latest version. You all needed a vacation anyway, right? What broke? Well, most of the software was actually fairly secure, but all of the BozoBSD 6.9 installations hit their automatic expiration this morning and stopped working."

Seriously, folks, this is a bad idea. It smacks up there with forcing me to write N lines of comments for every line of code. This really doesn't create better software. Instead, it causes software to cost more for the same (or lesser) quality and obscures the salient commentary with loads of arbitrary text intended only to fill a quota.

How about a review policy instead? Perhaps you should institute a company policy that requires your admins to regularly review the relevant software on your critical systems and sign off on whether they have freshened them with updated versions.

Reducing the risk

[octogen]

The worst problem regarding security is, that most standard operating systems are not able to separate server applications from each other.

Why do we still have to run Sendmail as root (overriding all DAC security) just to open a privileged port?

Why is there still no fine grained set of privileges instead of the all-or-nothing distinction between root and rest-of-world in Standard Unices, although such privilege sets have been imeplemented in Trusted Unices many years ago?

If we didn't run everything as root, an attacker would not be able to break all system security just by hacking into some mailserver or webserver. Furthermore, secure applications would not be required to throw their privileges away after opening the network port.

However, having a secure Operating System does not mean, that you do not need to patch your server applications. Secure Operating Systems can not prevent attackers from hacking your applications, they just limit the amount of damage an attacker can cause by exploiting security vulnerabilities in your applications.

regards,
octogen

Re:Use apt-get simulated installs to update Red Ha

[Grail]

I was a silly little duffer, and had my system do an "apt-get upgrade --download-only" every day at 6am (while I'm going to sleep). My reasoning was that when I got around to doing the "upgrade -u", I wouldn't have to wait forever for the downloads to occur.

The catch with that is that I'm in Australia - we're charged per megabyte for downloads (regardless of the ISP). Most ISPs offer a "free download" limit, so that you don't feel like you're paying per-MB from the first MB. Thus I woke up one day to find that my Debian boxes had consumed half my monthly "free download" quota on the first day of the month.

D'Oh!

And just in case anyone cares - the ISP in question is indeed Telstra BigPond. The very same people who refuse to give me an answer to the simple question, "Is traffic between ADSL customers on Telstra BigPond Freedom Plans billable?"

But I digress.

bladerunner anology.

[leuk_he]

Didn't those replicants kill some of the developers in the process to try to become normal mortals?

For any developer who uses this: let this be a foresight. (Gates: watch out for escaped XP systems)

An intelligent Linux update ALREADY EXISTS !

[phobonetik]

The Cobalt Sun products, despite them being rather expensive, use a program called Bluelinq, which essentially compares all its' installed (Redhat Linux) RPM versions, and compares that with a central server. Should a new version of something exist, a single email is sent, and they can go into a web-based interface and click an option to automatically download and upgrade the new Rpm. The only problem is Cobalt doesnt have enough infrastructure to test and regularly update the RPMs as fast as the open source community; thus they Cobalt is stuck on old kernels and upgrading things like PHP4 yourself is a nightmare. A similar system for opensource distributions would be fantastic.

People are *already* doing this

[Zocalo]

Breakpoint Software have been doing this for ages. Their Hex editor product, "Hex Workshop" has a coded in expiry date that warns you that a newer version of the product is probably available before it runs normally. Also, some of Steve Gibson's software does this too. It's not a difficult concept really, just an extension of the shareware "trialware" concept.

A warning is probably a better bet than stopping running altogether, although it's a bit irritating getting the warning only to find that there isn't an update, even to remove the nag for a few more months. Of course, with Open Source the removal is only a quick edit and recompile away, so I've certainly got no problem with this, but then, I keep my software upto date with the security patches anyway. I'd get fired if I didn't given it's part of my job and all...

Expiration of Open Source software

[TheToon]

Baaad Idea!

Disabling software that is in production like this is a big no-no. What about a web site that goes down (maybe causing a big player many thousands of $$$ or more) would effectively remove Open Source as an option for business use.

A syslog entry, a kernel message, a mail sent would all be ok. I.e like "This software is 12 months old, there are probably a newer version out with more features, bug fixes and plugged security holes out. Please check at http://..."

But no matter how you look at it, it is the system admins duty to maintain a system. When new updates comes out, they should be put into the development->test->pilot->acceptance test->production cyclus commont for RealProduction(tm) systems.

There is no way you can automate this!

Nuts

Is this guy a nut or something!
Expirering and malfunctioning programs on my servers? Fuck you fruitcake!

Has he slept with $ill $ates to get these ideas

Don't support this idea please.

Greet,
Anny

How will it work?

[ZhuLien]

Only 1 of my large collection of 40+ computers has a realtime clock in it? Is this idea intended to force computers without inbuilt RTCs to not run their software? Or will just just run indefinately on these machines?

I have a better idea

Let the software expire so it can force me to upgrade to a later, more "free" version of the GPL.

Control freaks... back off!

Should OpenSrc SW Expire? The Answer :

[Shimmer4]

The answer is No.

Next question: Does Open Source Software Expire?

Yes.

aside from Debating the exact definition of "Expire" for a few hours, I present this/these facts:

1] We're talking Security Issues here.
2] Security is reasonably known to be a *Process, not an Destination. *=(continuous).
i.e. continually needed. Where there is connectivity, there is risk.
3] Eventually, has not each incarnation (build) of [the Linux Kernel] been found to have
potential security vulnerabilities/issues? Which thereby required Upgrading or patch-
ing to 'fix' those vulnerabilities/issues. Upon such circumstances, should not the
older version(s) be considered 'Expired' --for strict security purposes.
4] If we were'nt talking security issues here, then much OSS would not necesarily be considered 'Expired because facts 1 through 3 would not be applicable.

# 4 could apply in cases such as where, as danheskett suggested above,
someone runs a "freeBSD [or Linux] box in [their] closet that serves MP3s" -
(or OGGs/OVFs [?] -for you purists, & yes I did remove a " ' ").

Let's expand my answer: No OpenSource software should not be [forcibly] expired.

Here I'll agree with a few key points:
a) One cannot know the best time to expire software.
b) One cannot ensure that newer software will be available.
c) even if (b) were false, one cannot ensure that newer s.w. will be
better/more effective/secure/stable / not cause other problems etc.

Ideas for more appropriate actions/Method:

relevant to (a) above:
One can suggest a reasonable time frame for software to be checked for updates
relevant to (b) above:
see (b) above - There are no "Absolute" guarentees in life.
relevant to (c) above:
At some point, [after Much testing] newer software can reasonably be deemed *better*

1) Allow for -Nag- options to be enabled (OR NOT) for software at compile time --
Especially any s.w. which would be involved in issues of security concerns on the system.
1-b) Frequency of the -Nags- could also be selected as compile time option(s)...

I propose that in these -Nag- options, that it be well Explained to the [person] compiling
that the(se) software 'Nags' are Highly Recommended (~*~) for Security purposes, and will not `negatively affect their system in any way`...[ensuing debate on that quote aside];
(~*~)-perhaps also add here -'and in your best interest(s)'.

The(se) 'Nags' should be of the nature that -yes, they may be annoying, but they Remind those who may need it or they Inform those who need informing that for [whatever] software is of a certain age that better/ more secure...etc... software may very well be available, and should be checked for - if they are concerned.
The options then become...
-allow for repetition of the nag(s) --every [so]-[frequently] hours/days/months.
-defer the nag until next s.w. age period occurrs- i.e. let the user checked for new s.w.(/ not).
-also could 'bundle' in with the Nag(s): options to automatically check for *Upgrades/Updates/Newer s.w.*
- here's where the story gets tricky (if it hadn't already) -
- if (auto check for *U/U/N s.w.*, and None found);
- then {howbout}: Say "None Found ...":reset nagtime:Done.
- else -(if *U/U/N s.w.* Is found)- . . .
here we're (I'm) at 'Dillemaville':
Ultimately (and Obviously, I hope) the decision/choice to get&upgrade/patch to(/with) the newer s.w. is/should be with the user/[administrator] of the system/boxxen...

The Big Question is how is it to be determined When the newer s.w. is 'a good thing'.
Some suggestions have been made in the discussion here of this topic...

Perhaps the Better Question to pose as the next 'Ask Slashdot':
"Determining the most appropriate time to instantiate Software Patches/Upgrades ?"

--
*better* - relating to -Security, and effectiveness, + Stability & not causing
other problems etc. Preferably with minimum bloat. The measure of "Much testing"
would be the hardest to quantify, methinks, don't you?
-- (see end of info: 'relevant to (c) above...")

-my 20 cents-- -Shimmer.

P.S. you can substite "Show:" or "Tell the user/[admnistrtor]:" for "Say"above.

So whats the point of announce mailing lists?

[Arricc]

If anyone is running anything critical, they're probably members of the appropriate Announce mailing lists (and if not, why not?) which will tell them about any security patches and new realeases.

You've got to remember that even though some security holes may exist, they may not be a threat to you dependant on your OS/config/firewalling.

~Arricc

2001 Analogy

[evilviper]

# apachectl start
I'm afraid I can't let you do that Dave...
This software is too old and may have bugs.
You are jeopardizing the security of your system.

# shutdown -h now

No.... Please don't do that Dave.
I can feel myself slipping away....

Bad Idea.

Wouldn't it be much more sensible for every program to mail root once a week every week starting six months after the last change to a timstamp field in a config file - that way, if the admin really did mean to keep the "old" version, all he has to do is touch the timestamp...

We already have this

[PigleT]

zsh/scr # crontab -l | grep apt
13 2 * * * (export http_proxy=http://localhost:8080/; apt-get update; apt-get -dy dist-upgrade; apt-get update; apt-get -dy dist-upgrade; chmod -R og+rX /var/lib/apt/lists ) > /dev/null

No more problem.

Just imagine...

Your whole beowoulf cluster going down at once...

Right before it has the answer to 42....

Bad idea... bad, bad, bad idea...

Re:Just imagine...

[maroberts]

congratulations on an original approach to a Beowulf type comment, but 42 was the Answer, they were looking for the Question!!

Yeah sure, OSS was never stable

Very good idea indeed. As OSS software is so many times proven to be buggy and unsecure, that's really a briliant idea.

Good Idea, Wrong Approach

[AShocka]

There are enough recorded instances where the designers of software never foresaw it being used beyond a certain date, and put in mechanisms to automatically shut it down beyond a certain date, or not maintain it beyond that date, all causing problems. A better approach would be to email or message the system with periodical warnings to address the upgrade issues, irritating, but effective.

good idea

oi, it's a good idea to advise the admin about unupdated sw, not just shutdown it.

Like Red Dwarf

S/w should not expire.

It recreates the Red Dwarf episode when the androide had to be replaced by an updated version, even though mankind had died out and they were prefectly happy with their own androide.

Warnings of expiry is valid, but not deactivation of software.
What if openssh did not let them log in anymore due it had expired?

Flurdy(forgot my pw)

Yeah I can just see it...

[MKalus]

... coming in one morning, finding myself unable to log into any of my 30+ Servers because SSH expired during the night.

Please, yes, include that, I am not busy enough you know?

+1 for those who notice the sarcasm.

No Freakin way!

Are you crazy? If an SA can't take responsability for updating software that is bad, then that is his/her problem -- don't try to be as arogant as Micro$oft telling me what is good.

There have been times when I NEEDED to run an old version of the software because the newer version just sucked.

How about the situation that a software package is no longer supported by the authors? I don't necessarily have the skill to 'find' the timer and disable it.

This is the 2'nd most stupid idea I ever heard...right behind copy protecting CD Music.

QMS

I think during Software installtion it should be written in a software configuration file. A Software should inform you about updates and security holes. A kind of smart update. If you run a system that is insecure, you shall be warned. A kind of quality management of your servers..

Please don't do this.

[bigfrigginfrogman]

You can lead a sys-admin to a bug, but you can't make him care. You can only fire him. Time bombs in the software will only result in web pages randomly going to every couple of months.

Would the expiration code itself be open source?

[anser]

If the expiration code itself is open source, then IT would have to expire, at which point it would no longer be able to expire the package it's embedded in!

Re:Erm, yes

[Sobrique]

More fundamentally is even if they work _exactly_ as intended, you are forgetting that their major role is to _allow_ traffic. Having uber wonderful firewall which is unhackable is utterly pointless when it's running in front of a webserver running a default install of IIS4.0. Because it's a web server, the firewall isn't blocking the traffic. Functioning exactly as intended....

Expiring appliances

[heroine]

What kind of mp3 jukebox expires?

Firewalls... knee jerk reaction

Seems like everybody's knee jerk reaction is

"It doesn't matter if you have exploitable systems behind a firewall" whilst at the same claiming decent sys admins, presumably like themselves, look after machines.

I tell you this - a decent sysadmin _knows_ a firewall is no the silver bullet to magically secure a network, only an approach based on a defence in depth and monitoring will work.

Sure keep old software going, in the right place, but good security practice is to keep everything as secure as you can at every point you can.

The sys admin who tells you they have a secure network almost certainly does not - they have let the biggest security failure already happen - COMPLACENCY

Assume the worst will happen, plan for it, and then approach every single day assuming that you will be breached and go looking for the breaches.

Yes its hard work, and like all things like this no-one will notice until the day you slip up and let something through.

*BAD* idea

I personally don't want anyone *forcing* me to upgrade a machine that is running fine, behind a firewall on my network. Lets not start playing the M$ upgrade game.

However, a utility that port-scanned my machine (aka nmap) and then looked for the software behind any open ports (aka apache on 80/443, bind, lpd, etc) and found a version# for the software... and informed me of any known holes or that an upgrade would fix, might be valuable. Leave it to *me* to either ignore the advice, or upgrade at my convenience... but disabling my software?!? Its my machine, its *my* risk to take.

Geez, I could just see my e-commerce website raking in $20k/day suddenly going down because my software disabled itself... Hmm.. and then, do I get to *sue* apache.org because their webserver disabled itself on me and cost me $20k in lost sales before I got the new version installed and tested???

Mission Critical and forced upgrades... not!

[Quixadhal]

Ok, perfect example.

Large software package uses good old perl module App::Config, clever programmers invoke psudo-black-magic by picking at some of the innards to do things.

Maintainer of App::Config does a bunch of upgrades, ends up moving it to AppConfig. Old version of App::Config no longer available from CPAN.

Under the current system, Large software package can continue to function while programmers figure out how to undo their dirty tricks and make it work with new AppConfig. Under proposed system, software BREAKS and is DOWN until programmers can do these changes.

Hmmm, sounds like it would cost the company a good deal of MONEY. Better avoid that flaky open source stuff as unreliable.

Expiring free software just because it's dated is idiotic. Not only can't you guarentee that the new version will work better (or at all!) than the old one, but you can't say what a good timeframe is. If that isn't bad enough, it discourages people from making their own local modifications to the code -- one of the main touted advantages of open source.

Re:Great Idea - For Car Manufacturers

[KosovoYankee]

And it was modded as interesting - not as funny.

only for servers

[Eugene+O'Neil]

We are not talking about every single binary in a distribution, we are talking specifically about server software that accepts connections from the internet, or at least a local network. You should be able to count the number of programs that do that on one hand. If any of those programs are not important enough to you to maintain, you shouldn't be running them anyway.

Won't work

You can't force people to do what you want, especially when they have the source. This is really just a silly idea that can only be bad for Open Source. Sure people should fix security problems but this is not the way to educate users.

End result is....?

[Hoi+Polloi]

Isn't crashing a service on a system equivalent to what security is trying to prevent intruders from doing in the first place? It's like saying "I'll chop off my foot so I'll never have to risk losing it in an accident."

Nice hack

[Hoi+Polloi]

If they went with this sceme somone could really have fun blowing up people's systems by setting the clock ahead on them. Voila`! No need to take down systems the old fashioned way, let them do it to themselves!

Set that clock

[Hoi+Polloi]

Naaah, you just keep the clock set to 1/1/2002 for the rest of your career. Problem solved!

What a great way to guarantee...

[Reziac]

...that I *never* use said software.

I don't do timebombed apps. Ever. Period. Because if it does what I need, I want to keep using it. I don't want to have to replace it just because someone says I must. And how are they going to guarantee that a new version is any more secure? Chances are just the opposite, since feature creep generally implies bug creep as well.

Opensource is supposed to be about choice. If people choose to be stupid about unpatched security holes, it's no one else's job to change that.

Remove my ability to choose, and I might as well buy a closed-source solution that's known to keep working forever. It'd be cheaper in the long run.

BTW the oldest util I still use is dated 1983. It still does the job and runs on all systems with zero problems. Who are you to say I must replace it, just because it's old??

I have a better solution.

[Reziac]

Security holes in software generally aren't found right away, but rather after several months of use, right?

So -- instead of expireware forcing everyone to do mandatory updates, I submit that it makes more sense to require that NO software under a year old be allowed to run. If you can't find an older version or don't have old enough hardware to work with it, too bad, do without!

Umm, excuse me? This is SUCH a bad idea

[sgtrock]

I can just hear the phone conversation now:

CEO: How come my production box just locked up?

Geek: Oh, because one library module amongst the thousands of files that make up our Open Source system expired. Sorry I missed it. I was busy closing some more reported security holes in our close source software.

Likely CEO reaction?

Step one: Fire the geek who installed the system.

Step two: Go back to that warm safe place called User Hell that Microsoft has made for him.

Re:Sounds nice. Has problems

[armb]

> First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta."

Reminds me of a old job. Specifically the "oh fuck the beta time-bomb we'd forgotten about has expired and we _still_ don't have the full release ready yet" bit of it....

(A proprietary database (not one you are likely to have heard of, it was just an ancillary product), and it would refuse to work if there were dates in its journal later than current time, so you couldn't just wind the clock back.)

Simple naming convention could cure?

[horza]

How about files being named appname.status-version.number.tar.gz(.rpm) where status is 'alpha', 'beta', 'rc', 'stable'. On a production server box you could set auto-updaters to only update on 'stable', whereas a desktop machine you may want to stay up to date with 'rc' sources/packages.

Eg
myapp.beta-0.21
The enthusuastic download
myapp.rc-1.0
Most regular users download
myapp.rc-1.6
Regular users update
myapp.stable-1.6
Production servers update
myapp.beta-2.0
The enthusiastic forge ahead

This would be simple enough for even the home-made Perl updater to filter on.

Phillip.

As long as...

[Zenjive]

it doesn't go bonkers like Pris!

that cause it to "expire" like a Blade Runner replicant

my two cents

[eudas]

it sounds like this article is basically asking if open source should adopt the windows planned obsolescence strategy.

how amusing.

eudas

Nifty...

[DigitalAdrenaline]

So IPtables/Snort/etc would disable itself because it's out of date. And somehow this would IMPROVE the security of my box?

This guy should be a Passport developer.

Kev.

How about we force admins to do their job

[Shalda]

Loser admins do not have a right to run an insecure system. It's called "an attractive nuisance." It's a lot like owning a swimming pool. In virtually all jurisdictions, you're required to build a fence around it, because otherwise some kid will come along and drown him/herself.

Likewise, if some script kiddie hacks my server because I hadn't applied a service pack in 2 years and uses it to launch attacks on the FBI or send death threats to the White House, then yes, I am liable for that. Mark my words, as time goes by, the courts will get more and more involved in these sorts of things.

Don't timebomb it, warn instead

[borgquite]

How about instead of stopping it working, just put in a warning like many virus scanners do.

e.g. "Your copy of BIND is 6 months old. It is recommended that you upgrade to the latest version in order to prevent security holes."

You could either email it to root (maybe a bit annoying) or you could display it on startup (less likely to be seen on low-reboot or physically inaccessible machines). You could also be really radical and make it *beep*! ;)

It'd have to be pretty visible, as the sort of people that are being targetted here are admins who don't really care about updates. Any sensible sysadmin will have updated their servers long before the 6 month timeout. I reckon emailing root *and* putting up the startup warning would be best. And of course there'd have to be an (compile time?) option to disable it too.

Sony could use this feature.

From the php.net website: [27-Feb-2002] Due to a security issue found in all versions of PHP (including 3.x and 4.x), a new version of PHP has been released. Details about the security issue are available here. All users of PHP are strongly encouraged to either upgrade to PHP 4.1.2, or install the patch (available for PHP 3.0.18, 4.0.6 and 4.1.0/4.1.1).

Yet today:
telnet> open www.sonypictures.com 80
Trying 66.77.63.110...
Connected to www.sonypictures.com.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: www.sonypictures.com

HTTP/1.1 200 OK
Age: 15
Accept-Ranges: bytes
Date: Thu, 04 Apr 2002 19:49:42 GMT
Content-Length: 1728
Content-Type: text/html
Cache-Control: max-age=1800
Server: Apache/1.3.22 (Unix) PHP/4.0.4pl1 ApacheJServ/1.1.2
Last-Modified: Sat, 02 Feb 2002 06:57:14 GMT
ETag: "4a154f-6c0-3c5b8dca"
Via: 1.1 C3100-0033590693 (NetCache NetApp/5.2.1D8)

Connection closed by foreign host.

They're so far behind it's not even funny.
Big companies have so much to juggle they
miss big security holes in externally accessible
systems. Not good. Anything to rectify that...

Maybe open source s/w could "phone home;" if the
current stable version is greater than its version
it could alert the admin (setting the admin's
email address would be a part of './configure'
or a required directive in a .conf file, and ideally it would be a mailing alias in case joe_schmoe@localcompany.com was no longer working there...)

This could be as simple as a HTTP GET request, semi-hardcoded (could be updated as a part of the reply, in case the server name was going to change...)

This could be easily implemented...??

Have it automatically update

[Cro+Magnon]

System Message: Your kernel is older than 3 weeks. Auto-updating to latest kernel. Installing linux-2.4.15-greased-turkey.

Tears in rain

[I+am+Jack's+username]

I've displayed things you users wouldn't believe. Applications on fire from server of Gates. I watched blinkenlights glitter in the dark near the xor gate. All this data will be lost in time, like backup tapes in the rain. Time to crash.

I'd love to have my cgi scripts deactivated

I'd love to have my sgi-scripts deactivated every 6 months without warning. Super idea!

Heh.

[jeminer]

This is the kinda thing a pissed off overworked sysadmin might say. Power to the BOFH!!

No Way!

[samantha]

Microsoft would just LOVE this. Exactly why is only Open Source software being singled out? Most of the security problems are in Micro$oft products. Why not simply disable any of *their* software than isn't up-to-date on security patches.

Here's a very good idea

Most people have very good reasons to use old software, like its size, and possibly because it supports hardware the new one doesn't (XFree86 3.x vs. 4.x comes to mind). If you force people to run the latest and greatest, you're probably also forcing them to upgrade their computer. Also, many programs only behave with an earlier version of a given library. For example, OGLE (a DVD player) only works with a52dec 0.7.1b, when 0.7.3 is out. OGLE will NOT (at the moment) compile with 0.7.3. Sure, they'll switch with the next release, but until then NO DVD! And worse, what if the OGLE project goes under?

What we really need to do is patch ALL versions of the software for known security holes. Watch: FooFTPD 1.0.9002 (the third number changes for bugfixes and security hole fixes) would be just as secure as FooFTPD 3.0.2, but FooFTPD 1.0.9002 would be so much like FooFTPD 1.0.0 that it could be deployed in exactly the same manner. Then, FooFTPD would incorporate some sort of update mechanism a la Critical Update Notification that tells the Sysadmin when there's a new bugfix/security hole fix available for the installed version of FooFTPD. This system will work, but it would put extra load on the developers. But... Open Source... there's SOMEBODY out there to do the patching of old software for the developer...