Slashdot Mirror


Should Open Source Software Expire?

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

6 of 549 comments (clear)

  1. I think.... by Bob+McCown · · Score: 4, Interesting

    I think that the premise that all computers are exploitable is a wrong one to persue. Granted, any idiot that leaves an exploitable machine running on the net gets what he deserves, yet in this age of DDOS viruses/trojans, the damage goes far beyond a single machine. BUT, I dont think FORCING an upgrade is the way to go. If I have a machine on an internal network merrily pluggin away for years, why break it if its working?

  2. Expiration. by saintlupus · · Score: 5, Interesting

    He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

    Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."

    Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.

    The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?

    --saint

  3. Notification vs. expiration by TheFlyingGoat · · Score: 4, Interesting

    I don't think the software should automatically update itself or expire, but rather have some way of communicating with the sysadmin. For example, if you use the CPAN module for perl in shell mode, it'll tell you if there's a new version of itself available, and how to update. Most importantly, it does so unobtrusively (as opposed to some programs that get annoying about it).

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
  4. Gnumeric by OpCode42 · · Score: 5, Interesting

    Gnumeric had something like this.

    I was running an old version, the one that comes with a default slackware 8.0 install.

    On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."

    No hassle, just a one-off friendly reminder.

    Good idea, I thought.

    1. Re:Gnumeric by Anonymous Coward · · Score: 4, Interesting

      At least it let you run the software. How about this: Class presentation day. You launch Realplayer on your laptop to show some video. "Your version of RealPlayer has expired, please download a new version". Goddammit, I'm in front of 30 people, my laptop is NOT on the network, and my 10 minutes timeslot is expiring. I don't have TIME to download and install a fuckinlblarhfap arg!! NEVER REALPLAYER AGAIN.

  5. It's mainly for the luser admins, right? by RatOmeter · · Score: 4, Interesting

    OK, I think we'll all agree that the vast majority of servers that've been exploited and abused for a long period are in the hands of luser admins. Savvy admins get burned all too aften as well, but they usually catch it and patch their systems before too much time has elapsed.

    Think about it... how many SMTP open relays are still running that have been spew points for years? How many Code Red hosts *still* probe your hosts, after all the hype and months gone by? How many hosts can you find that are listening on port 12378 (Gibe worm/trojan)?

    The "admins" of these systems have *no clue* what's going on and LARTs fall on deaf ears at their luser ISPs!

    So. My proposal is this: Include disabling timeouts on *all* net connected ware, enabled by default. Put a nice, little checkbox in an unassuming corner of a/the install screen (or a line in a conf file somewhere) that allows this "feature" to be disabled.

    I figure all savvy admins will turn the feature off. Some of the luser admins will turn the feature off. A majority of the lusers won't even know it's there, and won't disable it. To bad for them, but they'll have a cluestick swingin' their way in a year or so.

    I still don't think it'll fly (no one's going to build this feature in), but the above is my spin on how it might be made to work, after a fashion.

    -