Should Open Source Software Expire?

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

Dumb.

[dasmegabyte]

What a dumb thing to say -- any requirement you make for Open Source will be totally ignored by a good segment of the population no matter how good an idea it is. You can't make demands of a free community simply because much of the population are idiots. It's those idiots losing their jobs when the servers become infested with hackers that is going to teach them to update their software. Putting in artificial expiry dates only leaves another worthless feature to debug.

Expiry is for shareware...open source's trademark is its install once, run forever (for most applications) reputation. And for machines properly behind firewalls, this reputation is justified, even with the holes. Who is going to be rooting the print server at our church with no internet access.

Alternative: SecurityFocus Pager for example?

[rtos]

Yeah, nothing like having your systems go down over a weekend because you didn't upgrade fast enough. Pfft!

Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:

"The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."

Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.

Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)

Been there, done that... it's bloody annoying

[sheldon]

Netrek clients had expiration times embedded in them back about 8 years ago. The theory was similar, that there were probably bugs and the developers wanted to force people to update periodically.

It didn't make much sense because clients were also digitally signed with RSA keys, and those could have been revoked and new keys issued, but anyway.

The problem came along around 1997 or so when people stopped maintaining and creating new clients. Once a year the bloody client would expire and you'd get a series of posts to the usenet group and mailing lists whining about it. Someone would then have to go recompile the client(usually with no additional changes in the source tree) and put it up on an ftp site.

I remember rejecting this expiration idea back when it first happened and forked my own client versions which didn't do this. If I want to eliminate the use of a version, I revoke the RSA key.