Slashdot Mirror
MITRE Corp. Report On Open Source In Government
Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.'
'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"
Correction: Upon further inspection, Qmail is graciously listed, though the others seem to still be absent (unless I can't search properly).
:)
"Qmail is a FOSS replacement for Sendmail, the
program that transfers emails between computers
on the Internet. Qmail has improved security,
reliability, and performance features."
Yep, that pretty much sums it up. I'm impressed.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:
(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)
Gmanske.
Only half true. Microsoft offers a little known Word 2000 viewer (and similar viewers for Excel etc) that is available gratis.
Free Java games for your phone: Tontie, Sokoban
Process and methodology kings, par excellence.
Do you want to know how to do something right? Do you want to know how to repeat the performance? Mitre are your experts in the field.
If your organization has a job-title of "Program Manager", there is at least a passing nod to the CMM processes outlined by Mitre, which breaks down all process and initiative into functional program areas.
"Flyin' in just a sweet place,
Never been known to fail..."
You need to remember that reps aren't *real* people in most cases, and especially in a field like anti-virus, reps are often keen to over-sell products.
i mpossible.xml
Of course, it's worth remembering (going a little off-thread here), that unpatched open-source software isn't any more secure than unpatched Windows software - IIS can be patched and secured too. A good tutorial on hardening IIS can be found here:
http://www.virusbtn.com/magazine/archives/200208/
Score:-1, Funny
If you actually tried to open up any but the most basic Word document in Wordpad, it butchers the document. Try it.
.PDF documents are extremely common. Get used to it. If you really can't stand to have to download extra software to view such a common format, you'll be happy to know that most Linux distributions come with at least one .PDF viewer.
However, that's beside the point. You see, not everyone runs Windows, and not everyone wants to open a document that can come with little extras like macro virii.
Further,
Not that the parent wasn't a troll or anything...
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
1) The format is compressed, so it is smaller in size.
2) The PDF viewer is available on more platforms than Word viewer
3) The PDF is already formatted for printing.
Most companies when publishing in PDF format do so, not for openness but to preotect against copying or modification.
:)
Or it could simply be because its much easier to predict how the document will print / read on various platforms. At this point, PDF files are pretty much a web standard for white papers, reports, etc. I guess if it were me I would skip the paranoia factor and the black helicopter sightings and take the report at face value.
- Brandon
Even the GPL does not require anyone to distribute their customized in-house modifications.
I do hope that some employees who are exposed to open source, its benefits and the values of the community behind it contribute to open source projects in some way.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
MITRE is a DoD child, created in the heat of the Cold War. It was and probably still is one of the best brainstorm centers in the world. And DoD loves it a lot. Besides, MITRE is one of the historic hallmarks on computer development. It was one of the organisations that tightly worked with ARPA in the 60's. So, in some way they can be the aunties of Internet. Many other things we use today were also developed by MITRE. So DoD will probably listen to its giant child.
Linux is in widespread use in the Navy research lab that I work for. And our NMCI installation apparently does include Linux in some way as I have seen reports of "compatibility testing" that mentioned NT/2k/XP/Linux/Solaris and a couple others.
Not to imply that NMCI isn't ridiculous and a huge waste of money. We're trying to fight it...
And don't forget that most computers aren't desktops. We certainly don't have any MS OS on our many embedded computers.
I think you may have jumped the gun here. Qmail is "free" as in beer. It does clearly meet the requirements as set out in the document to be Free and/or Open Source Software. They are not mutually exclusive, or inclusive.
--Kevin
I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.
The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.
There is also compatability. Djbdns does not support certain zone transfer mechanisms. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)
I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.
However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.
Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.
True, but then again Qmail has offered a USD $500 security guarantee since 1997, which so far remains unclaimed. Sendmail does not, and since then they've had a number of security issues to deal with.
As for its usage, Qmail at one stage included Hotmail among its users, so it has had a reasonable amount of testing and use.
O frabjous day! Callooh! Callay!
Even on Slashdot the GPL is largely misunderstood. It principally dictates that if you redistribute the software you must also redistribute the source; it does not require that you redistribute the source in order to use the code yourself in whatever fashion you require. Your error is exactly the misunderstanding that MS capitalizes upon in describing the GPL as 'viral'.
One of the reports' three recommendations is to create a "Generally Recognized As Safe" list of Free or Open Source Software. The stable distribution of Debian has already done this. If the DoD is looking for a base set of packages, then Debian looks to be the set to work with.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
As a Debian Developer, allow me to strongly disagree. There is a lot of software in Debian! It's as reliable and trustworthy as we can make it, but a lot of stuff doesn't get banged on very heavily (some of it is downright obscure), and the best we can really say is, "we haven't found any obvious problems". Which is a whole world apart from "Generally Recognized As Safe."
Now, anything that's FOSS and GRAS is probably in Debian, but being in Debian stable is only evidence of being FOSS and NPU (Not Proven Unsafe).
I think that the idea of having an external list of FOSS/GRAS software is an excellent one. Moreover, I doubt if Debian wants to accept responsibility for maintaining such a list.
Microsoft offers a little known Word 2000 viewer [...] gratis
But that supposedly gratis viewer requires a non-gratis OS to run, so many of us would still have to pay money to view the document.
(But then you did say, "half true", and anyway, my objection is only half true because it probably runs under Wine. Though I'm not sure that helps people running Solaris/AIX/LinuxPPC/LinuxARM/LinuxPS2/etc.)
Anyway, the bottom line is that PDF is freer than Word because PDF is an open standard, and multiple implementations exist (some gratis, some FOSS) while Word is a closed, proprietary format subject to change without notice.
I took a class recently conducted by a Major ( in the Corps) who informed me that Linux is used for firewalling at the higher echelons of IT in the Corps. As for other services, I can point you to quite a few Navy guys running Linux mailservers. The Navy is much less regimented than the Corps and their IT think nothing of going Fry's, building a nice Athlon system, and throwing Linux on it. That would never happen here in the Corps unfortunately. I'm sure if I'm in Kuwait in six months setting up a network and the only way to get said network running was through the LEAF project, I'd get the go-ahead until we could get some expensive, proprietary firewall sent to us. The poster above is pretty much dead on. Each service does have its own way of going things. Just head on over to Netcraft.com and see what the Army's running for a webserver.
This guy is way out there
Exactly. The DoD is interested in sweetheart deals with major defense contractors (and yes, Microsoft now falls into that category) which are generally brokered by retired high-ranking officers who start taking gigantic salaries from said contractors the moment the ink is dry on their discharge papers. Since most of the contractors (Microsoft excluded) actually build pretty good products, "things working correctly all the time" is a happy side-effect, but there's no evidence that it's a primary goal.
As a vet, believe me, I'm not happy about this. I've seen the effects first-hand. I was a medic for eight years in the Air Force. About halfway through my second enlistment, we switched from company A's IV needles, which were very high-quality and never crimped up -- i.e., the plastic cannula over the needle, which is the part that actually stays in the patient when the needle is pulled out, always went in smoothly with the needle instead of crimping up around the needle and not going in -- to company B's IV needles, which crimped up about a third of the time -- which of course meant that the patient had an extra hole in his skin and the needle was now useless. We did this, as it turned out, because the recently retired General X, who had been quite high up in the AF medical bureaucracy, was now a member of Company B's board of directors. When I got out of the service a couple of years later, we were told that the AF was "studying the problem." Meanwhile our supply guys were cutting "gray" deals with local medical supply companies to get us needles that worked.
This may seem like a minor problem, but consider that a) the switch caused a lot of pain and suffering (even good IV sticks are painful; bad ones are worse) and wasted a lot of money, and b) this sort of thing happens all the time, all over the place, in places ranging from the base personnel office to the ER to the flightline where people are loading nuclear weapons onto bombers. And not just in the AF; there are similar stories from almost every job in every branch of the service. Your tax dollars at work, folks.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
LRC, the best-read libertarian site on the web
It was written by:
Terry Bollinger
The MITRE Corporation
1820 Dolley Madison Blvd.,
W534 McLean, VA, 22102, USA
terry@mitre.org
Terry Bollinger currently works at The MITRE Corporation, where he focuses on distributed software and hardware architectures issues for U.S. Department of Defense information infrastructures. He is an editor for IEEE Software, and was one of two Special Editors for the Jan/Feb 1999 issue of IEEE Software on Linux and open source software methods.
Terry has had extensive experience at all levels of software development in the telecommunications industry, at NASA, and for the U.S. Department of Defense. Especially while working in the telecommunications industry, he has had extensive hands-on experience with both a wide range of software construction methods and approaches, and with the consequenses of trying to apply some of these methods in "realistic" environments in which there is a typical spectrum of developer experience (e.g., what happens when C++ is applied in and environment consisting almost entirely of long-term funcional C programmers). Terry also has a strong background in software reusability and software process, including an IEEE Software Best Paper on why software process improvement doesn't always give the kinds of results advertised, and is intrigued by the issue of why some programmers seem to be so much better at producing high-quality, stable code that endures over time. In terms of software construction issues, he is both highly familiar with the overall set of techniques involved (including newer methods such a graphical component based programming), and is strongly supportive of the need for good methods while also being heathily skeptical about a lot of the claims made for various software construction methods and tools.
Terry has M.S. and B.S. degrees in Computer Science from the University of Missouri at Rolla, and has been a member of IEEE for 23 years.