Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Open Source Software Expire?

Posted by michael on from the forced-retirement dept.

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

6 of 549 comments (clear)

  1. Dumb. by dasmegabyte · · Score: 3, Informative

    What a dumb thing to say -- any requirement you make for Open Source will be totally ignored by a good segment of the population no matter how good an idea it is. You can't make demands of a free community simply because much of the population are idiots. It's those idiots losing their jobs when the servers become infested with hackers that is going to teach them to update their software. Putting in artificial expiry dates only leaves another worthless feature to debug.

    Expiry is for shareware...open source's trademark is its install once, run forever (for most applications) reputation. And for machines properly behind firewalls, this reputation is justified, even with the holes. Who is going to be rooting the print server at our church with no internet access.

    --
    Hey freaks: now you're ju
  2. Alternative: SecurityFocus Pager for example? by rtos · · Score: 5, Informative
    Yeah, nothing like having your systems go down over a weekend because you didn't upgrade fast enough. Pfft!

    Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:

    "The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."
    Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.

    Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)

    --
    -- null
  3. It is called syslog by NotoriousQ · · Score: 2, Informative

    The software can just dump "check for security upgrades" messages into syslog, and the administrator can decide. Now if the administrator ignores those, he deserves to be rooted.

    Besides, aren't up2date, rpm, dselect, etc. exist to do the work for a lazy admin.

    As for forcing -- i will mirror the general slashdot public -- hell no.

    --
    badness 10000
  4. Re:Bad idea by drodver · · Score: 2, Informative

    A project that provides librarys other Open Source projects can use to enable automatic code updates would be way cool. Then admins could opt-in to have programs auto-update without user intervention. Proper security and checkpointing would be required, though, to prevent an app from breaking without a recourse to return to full functionality.

  5. Been there, done that... it's bloody annoying by sheldon · · Score: 3, Informative

    Netrek clients had expiration times embedded in them back about 8 years ago. The theory was similar, that there were probably bugs and the developers wanted to force people to update periodically.

    It didn't make much sense because clients were also digitally signed with RSA keys, and those could have been revoked and new keys issued, but anyway.

    The problem came along around 1997 or so when people stopped maintaining and creating new clients. Once a year the bloody client would expire and you'd get a series of posts to the usenet group and mailing lists whining about it. Someone would then have to go recompile the client(usually with no additional changes in the source tree) and put it up on an ftp site.

    I remember rejecting this expiration idea back when it first happened and forked my own client versions which didn't do this. If I want to eliminate the use of a version, I revoke the RSA key.

  6. The Resbonsibilities of SysAdmins by MoneyT · · Score: 2, Informative

    Last I checked, if the SysAdmin was in charge of a critical system, it was his responsibility, nay, his very reason for existance, to ensure that the system was secure. Every book you ever read on UNIX or Linux that is written for SysAdmins tells you that you should be constantly monitoring your software and checking for patches and updates. If I let my software go old, it's for one of two reasons:

    a) It does what it needs to do and there aren't any security flaws I'm concerned about

    or

    b) I don't like what was added into the new version

    either way, the desicion to upgrade or not is in my hands, not the programer's and that's the way it should be.

    --
    T Money
    World Domination with a plastic spoon since 1984