Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Open Source Software Expire?

Posted by michael on from the forced-retirement dept.

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

13 of 549 comments (clear)

  1. Erm, no by adamwright · · Score: 5, Insightful

    I have old internal boxes that are way way out of date, but safely firewalled away doing just what I want them to do. Rebuilding those every few months/years (or having to remove timebombs from software before I install it) == Bad idea.

    I agree that software should assist admins in keeping it uptodate, but honestly, legitimate users shouldn't be affected if an admin is incompetant or lazy.

  2. Expiration. by saintlupus · · Score: 5, Interesting

    He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

    Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."

    Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.

    The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?

    --saint

  3. Gnumeric by OpCode42 · · Score: 5, Interesting

    Gnumeric had something like this.

    I was running an old version, the one that comes with a default slackware 8.0 install.

    On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."

    No hassle, just a one-off friendly reminder.

    Good idea, I thought.

  4. Alternative: SecurityFocus Pager for example? by rtos · · Score: 5, Informative
    Yeah, nothing like having your systems go down over a weekend because you didn't upgrade fast enough. Pfft!

    Why not try something a little more reasonable, such as SecurityFocus Pager 3.0? And I blockquote:

    "The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."
    Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.

    Or you can just do an apt-get update; apt-get upgrade; once in a while like I do. ;)

    --
    -- null
  5. Re:Bad idea by Galen+Wolffit · · Score: 5, Insightful

    Oi, I agree, but for different reasons. Yes, the code could be commented out - so what? Any code that secures an existing hole can be commented out, thus re-opening the hole.

    I think it's a bad idea to actually _disable_ a running program, because doing so can cause problems that are not necessarily immediately traceable back to the disabled program. Instead, the program should raise some sort of persistent alert, via email, logfiles, or whatever, at some interval, alerting the administrator that there is an out of date program running.

  6. Great Idea by dgb2n · · Score: 5, Insightful

    This is great.

    I have a similar idea for my car. You could design an oil system so that once the car had been driven more than 3000 miles, the car automatically drained all the oil from the drain pan and left the engine without oil.

    This would prevent a careless driver from driving with oil that no longer provided sufficient viscocity.

  7. Your kidding by lkaos · · Score: 5, Insightful

    So, you want me to tell my boss that our web server is free software and has expired because the people writing the software figured by now it would have a bunch of security holes?

    That's gonna be easy to sell. I can just imagine it.

    Boss: "Why did our server go down last night!?!?!"

    Me: "Well, it expired."

    Boss: "It free for Christs sake! How does the d*mn thing expire if we're not paying for it!"

    Me: "Well, the authors figured that by now, there would be a bunch of problems in the software so they want us to upgrade it, it's really a good thing."

    Boss: "I thought this free stuff was supposed to work, not be full of security holes! We're switching to IIS!"

    --
    int func(int a);
    func((b += 3, b));
  8. Log It Instead Of Expire It by Samarkind · · Score: 5, Insightful

    What if the system were to log the last update for all packages to a central file that could be polled by the admin? Or email the admin once the software reaches a certain age? I doubt many security patches are deliberatly not applied, but most admins are probably overworked as-is and would appreciate a gentle nudge to check for security updates on a piece of code that they normally don't look at too often because it just works.

  9. Sounds nice. Has problems by pete-classic · · Score: 5, Insightful
    I understand that you have good intentions with this idea. Unfortunately there are more problems with this than you can shake a stick at.

    First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta." If you are writing software with the belief that "in x months people will be better off not running this" you are doing something wrong.

    Second, what if you write a really great program, and you put this "feature" in it. The program is great. People love it. They depend on it. And it doesn't have security problems. Meanwhile you get married, have triplets and move to the Amazon. Then your little "time bomb" goes off. Thanks a bunch. Now it falls on "someone" to rip the thing out. Not good.

    There are any number of other problems like:

    • People's clocks don't all agree
    • What bugs might you be adding by putting this code in there that doesn't enhance the program's operation?
    • Sometimes people need older versions to meet more important dependencies
    • Who knows what else?


    This is all outside of the fact that I (like many others) don't care for software that thinks it is smarter than I am. That's why I run *NIX in general and Free Software in particular in the first place.

    Bottom line: Sounds nice. Makes more problems than it solves.

    -Peter
  10. how about we let admins do their job by moore234 · · Score: 5, Insightful

    I am sick to death of folks using technology to try to solve people problems. All this indicates is a flawed understanding of the problem.

    For example, the issue here is not binary. Security is not the end all and be all--folks should have the freedom to make informed rational decisions to make their systems less secure. Perhaps it's just a web server and not mission critical? Perhaps they need an older version of java to run an older program that they need. Knowledgeable admins should have the freedom to make that choice. Don't force policy via technology.

    But this is indicative of a larger trend to look at technology to solve all our problems. Have sex offenders in the neighborhood? Make them wear beepers so that decent folk can know where they are! Have mental health problems? Take a pill! Folks speeding? Put up those goddamn speed cameras!

    Rather than dealing with people on a personal level, we use technology to dehumanize interactions. I think it's because technology is easier to understand. It's not as complex as humans are. Technology also scales better than personal interactions do. It lets us do things more efficiently, but, mon dieu, what kind of world are we creating?

    Dan

  11. howabout this... by TheLocustNMI · · Score: 5, Funny

    howzabout if it sits around to long, it sends a message to your boss to replace you, the lazy admin, you frickin' slacker!

    that'd be preferable.

    --
    thelocust[dot]org
  12. Re:Absolutely by tswinzig · · Score: 5, Insightful

    The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

    What then is that you realize what a horrible fucking idea this is in the first place.

    --

    "And like that ... he's gone."
  13. I can see it now... by mav[LAG] · · Score: 5, Funny

    [root@owl.tyrell.com] /usr/local/apache/bin/apachectl start
    Starting httpd - please wait...
    How old am I?
    ^C
    My birthday's April 10 2017 - how long do I live?
    ^C^C^C^C
    Nothing is worse than having an itch you can never scratch!
    ^C^C^ZC^Z^C^Z^CZ^C^C^C^C^Z^C^C^C
    Wake up! Time to die!
    Starting httpd... [FAILED]
    mod_leon died prematurely...
    [root@owl.tyrell.com]#

    --
    --- Hot Shot City is particularly good.