MITRE Corp. Report On Open Source In Government

Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.' 'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"

Re:Generally Recognised as Safe.

[Sivar]

Correction: Upon further inspection, Qmail is graciously listed, though the others seem to still be absent (unless I can't search properly).

"Qmail is a FOSS replacement for Sendmail, the
program that transfers emails between computers
on the Internet. Qmail has improved security,
reliability, and performance features."

Yep, that pretty much sums it up. I'm impressed. :)

"Generally Recognised as Safe" Reference

[gmanske]

If like me, you were wondering what the "Generally Recognised as Safe" reference was referring to, here's an excerpt of the executive summary of the report.

This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:

(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)

Gmanske.

Re:How much respect does MITRE command?

[Jeremiah+Cornelius]

Not only this, Mitre are the origin of the Capabilities Maturity Model - in conjunction with CMU.

Process and methodology kings, par excellence.

Do you want to know how to do something right? Do you want to know how to repeat the performance? Mitre are your experts in the field.

If your organization has a job-title of "Program Manager", there is at least a passing nod to the CMM processes outlined by Mitre, which breaks down all process and initiative into functional program areas.

Re:How much respect does MITRE command?

[Ektanoor]

MITRE is a DoD child, created in the heat of the Cold War. It was and probably still is one of the best brainstorm centers in the world. And DoD loves it a lot. Besides, MITRE is one of the historic hallmarks on computer development. It was one of the organisations that tightly worked with ARPA in the 60's. So, in some way they can be the aunties of Internet. Many other things we use today were also developed by MITRE. So DoD will probably listen to its giant child.

Re:What the DoD is and isn't

Linux is in widespread use in the Navy research lab that I work for. And our NMCI installation apparently does include Linux in some way as I have seen reports of "compatibility testing" that mentioned NT/2k/XP/Linux/Solaris and a couple others.

Not to imply that NMCI isn't ridiculous and a huge waste of money. We're trying to fight it...

And don't forget that most computers aren't desktops. We certainly don't have any MS OS on our many embedded computers.

djbdns & qmail

[dasunt]

I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.

The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.

There is also compatability. Djbdns does not support certain zone transfer mechanisms. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)

I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.

However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.

Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.

Re:Generally Recognised as Safe.

[novakreo]

True, but then again Qmail has offered a USD $500 security guarantee since 1997, which so far remains unclaimed. Sendmail does not, and since then they've had a number of security issues to deal with.

As for its usage, Qmail at one stage included Hotmail among its users, so it has had a reasonable amount of testing and use.