MITRE Corp. Report On Open Source In Government

Jeremy Allison (of the Samba team) writes "Very interesting paper just published by MITRE corporation. (In PDF - they've learned not to use Microsoft Word. :-). Highlights: 'The main conclusion of the article was that FOSS software plays a more critical role in the DoD than has generally been recognised.'; 'Create a "Generally Recognised as Safe" FOSS list ... including Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, bind, and sendmail.' 'FOSS' stands for 'Free and Open-Source Software.' Looks like these people 'get it.'"

Re:Generally Recognised as Safe.

[Sivar]

Correction: Upon further inspection, Qmail is graciously listed, though the others seem to still be absent (unless I can't search properly).

"Qmail is a FOSS replacement for Sendmail, the
program that transfers emails between computers
on the Internet. Qmail has improved security,
reliability, and performance features."

Yep, that pretty much sums it up. I'm impressed. :)

"Generally Recognised as Safe" Reference

[gmanske]

If like me, you were wondering what the "Generally Recognised as Safe" reference was referring to, here's an excerpt of the executive summary of the report.

This list would provide quick official recognition of FOSS (Free and Open-Source Software) applications that are:

(a) commercially supported
(b) widely used and
(c) have proven track records of security and reliability (eg. as measured by speed of closures of CERT reports in comparision to closed-source alternatives)

Gmanske.

djbdns & qmail

[dasunt]

I'm not trying to torch anybody's favorite software here, but both djbdns and qmail have drawbacks.

The biggest issue is the license. Qmail is limited to source-code only distribution, with an exception being made for precompiled binaries if they behave exactly the same as qmail normally behaves. Information here. This means that if you want qmail not to throw all of its binaries under /var and ignore most of /etc for configuration files (which it normally does), you have to compile and patch it by yourself. Also, there is no distributing patched versions, so if D. J. Bernstein dies tomorrow, qmail development is effectively frozen until qmail passes into the public domain decades later. That includes any security/performance patches, as well as ports to other architectures. Djbdns has a similiar license.

There is also compatability. Djbdns does not support certain zone transfer mechanisms. It ignores some IETF standards entirely and impliments its own version instead. I get upset when Microsoft twists and corrupts public standards for its own ends, and I get upset when Bernstien does it as well. I'm lazy, I don't want to have to doublecheck if my DNS servers supports a certain standard if my cofiguration changes. Qmail is more of a quibble, I don't like how it throws everything in /var. (And I'm not sure why the world needs qmtp)

I'm not saying that a lot of people and smaller sites won't find qmail/djbdns (and the rest of Bernstein's software) useful. They seem to be secure, and they do their job as long as everything is compatible.

However, one of the reasons why I avoid proprietary software for many tasks is that I don't want to hitch my wagon to somebody else's horse. If I go with a MTA that is wildly used and is GPL or BSDl, I am assured that development does not rest solely on one person. And if I go with standards-compliant software, it ends up being less of a hassle in the long run.

Djbdns and Qmail aren't bad. But they have licenses that limit distribution and development, and they break interoperability.

Re:Generally Recognised as Safe.

[novakreo]

True, but then again Qmail has offered a USD $500 security guarantee since 1997, which so far remains unclaimed. Sendmail does not, and since then they've had a number of security issues to deal with.

As for its usage, Qmail at one stage included Hotmail among its users, so it has had a reasonable amount of testing and use.