Slashdot Mirror
Open Source In the National Interest
munchola writes "A new report from the Department of Defense's Advanced Systems and Concepts Office recommends that the DoD move to adopt open source software and methodologies as well as open standards in order to make the most efficient use of internal resources. According to CBR, the report states that a move to 'Open Technology Development' is not only in the U.S. national interest, but in the interests of U.S. national security. OTD incorporates open source methodologies and open standards, but also takes into account the fact that the DoD has systems that it would rather keep secret."
Let's have a party! Invite Linus and Stallman! :)
:)
Bring the fireworks!
About Time
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I foresee the DoD changing its tune after Microsoft drops a few million dollars in the right direction to make this go away. Remember the Open Doc file format drama that unfolded not too long ago? ...where did I put my tinfoil hat again...
My humor is probably your flamebait
So Darl thinks that free software should be restricted worldwide by American law? How does he work that one out, especially when a lot of free software doesn't come from America?
Govt. IT is highly fragmented. It took 20 years for DOD to switch to all-diesel. How long to switch to open-source?
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
So how soon untill we see this.
Undetectable Steganography? Yep, there's an app fo
The statement that people could introduce malicus code into Linux that then makes it's way into secure systems. Of course with companies outsourcing programming jobs to other countries the same thing could happen with a closed source system.
The solution for OSS is simple. Any OSS software that goes into a Command and Control system needs to have it's source code audited by an independent authority.
Of course the same thing should be done with any software that goes into a military, aerospace, or any other mission critical system. In this case OSS does have a clear advantage in that the end user can select any group to perform the code audit instead of depending on the vendor.
Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
That caused one of the biggest non-nuclear explosions the world has ever seen and significant damage to the Soviet economy?
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
to when the US is a Democratic Socialist country like Norway or Sweden. The government should always take the least expensive route that achieves the same results, in this case, open source.
Likewise, the government should be the single-payer system for medicine, the Internet should be free, etc. All this could be done by raising our taxes about 10% per person. I'd galdly pay more taxes to have better public transportation, universal healthcare, and university.
First, I generally agree that there are many areas where this will be of significant benefit. Unfortunately, there are so many problems across DOD right now due to insufficiently trainied operators/admins - this will make it significantly worse in the operational arena. I have been on board many installations to train people and was saddened by the lack of sound IT skills by those that are supposed to be managing the systems. Of the 100 or so IT personnel I have trained, I would say that 5-6 have the necessary mindset and skills to effectively implement OSS. Centralized control is a hallmark of DOD IT - and this flies in the face of that as well, from a cultural perspective. (not that this is a bad thing) So, this means that not only will they need to change the infrastructure - the culture will need to shift, which is a much longer term issue. Then again, this could be good for the network-centric warfare concept. It could inject a much needed does of innovation.
Granted, I'm not talking about Command and Control systems, but the DoD has been using OS Software for years now. I know because they are using iText to produce billions of PDF documents. I have been mailing with DoD developers regularly in the past (and neither I, nor my product is American). It's not as if they have changed their mind about OSS overnight. The remarkable thing is that they are now coming out with a policy about OSS, and that they are considering to use it on a larger scale. (Yes, we're talking about Operating Systems now!)
I didn't know Ada was open source??
That's their plan all along...
Here's the problem with adopting Open Source for everything: It completely homogenizes the entire process of software development, which means that it tends to quash alternative development tools, languages, and techniques.
For example, is it good or bad that JavaScript has implicit typing? Many developers want explicit typing, and call implicit typing "lazy". I can barely have a conversation with a group of fellow geeks without getting shouted down on this topic. The problem with group-anything is that group-think will prevail. To quote one of my favorite posters from demotivators.com, "Meetings: None of us is as dumb as all of us".
In addition, alternative lanuages and tools tend to be stifled in so-called "open" (read group) environments, because the rest of the group immediately pushes to have the alternative tool or environment removed, unless the group agrees that it is a good idea. Is that the way inventions are made? No. Inventions are made by a single person with a radical idea avoiding all the intervention/interference, naysayers, etc. and presenting that idea DESPITE the opinions of others. I can see opening source after the fact for auditing and sugestions, but not for development.
It seems that a lot of the open source push has been a reaction to the fact that many of the development tools we use are not at a high enough level of abstraction. If you abstract away from code and languages where you are doing your own memory management, one would think that you would experience fewer memory-related programming issues. What kind of issues are most often discussed with open-source development? Exploits, buffer overflows, etc. I can see the database engine being open source, which would help with dealing with injection attacks, but the rest of the application (where the money is) can't possibly benefit from having lots of people "helping out".
Imagine the entire cast of The Food Network making soup together at the same time. "None of us is as dumb as all of us".
Friends help you move. Real friends help you move bodies.
Never forget: 2 + 2 = 5 for extremely large values of 2.
The chicken-and-egg problem is a big problem. If you need to verify the security of a system, you need to have written the compiler, from scratch. You cannot rely on a third-party tool, unless you can verify the compiler executable (not its source code). The article also notes that the problem is even worse: you need to verify that the hardware implementation of the instruction set is correct.
Don't get me wrong, I think that open-source is important. It just doesn't provide any absolute guarantees.
It makes contract bidding cheaper. If you can use an OSS toolkit over a proprietary one, the cost that gets billed to the government is lower which makes it easier to win contracts. Other than that, bureaucratic inertia is the only major problem OSS faces. There is hardly any more bias against OSS than there is toward any regular commercial software.
This is the time that Open Source activists and promoters need to run with the ball. Draw the attention of CEOs and business executives to the fact that the DoD advocates Open Source. Show them that we're not talking toy software. Show them that this isn't about not wanting to spend money. (Since when was the DoD afraid to spend money?) This is about an innately powerful method of developing high-grade - even military-grade - products that do what people actually need done.
We couldn't ask for better, but only if those outside of the IT industry actually hear of it. If only those who already accept the strengths of Open Source know that someone else has also decided it is a good solution, then that decision means nothing. Particularly as the DoD is very unlikely to do anything about it. It'll just be a decision. But if the business community got shown this... That would be a whole different ball-game.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Govt. IT is highly fragmented. It took 20 years for DOD to switch to all-diesel. How long to switch to open-source?
Penis Cleaver, what a cute name you have. Oh well, it's worth the time to answer your silly question.
Intention is more important than time here. Now that the US DoD has realized and prooven the obvious, they will do it as they need to.
The rest of us can continue the migration and have fewer problem doing it. We can now point to it whenever we run into "Get the Facts" nonsense that M$ and other tin horn companies spend lots of money telling people. It was bullshit and this is one more nail in their credibility coffin. It's the kind of thing that makes their fanboys feel like they were lied to, because they were.
Enough hits like that makes things much easier. Between the government stating the obvious, DRM and corporate rip offs, M$ is losing most of it's fan base. Companies are feeling very burnt by the long time it's taking to get Vista out because of all the money the spent of code assurance plans. DRM disasters are turning off home users and reviewers because the systems are so buggy that all of M$'s hardware lock-ins and driver advantages are negated. Now everyone can look back at the things M$ has said about security and think, "those people are not very honest." All of that animosity makes it that much easier to advocate free software.
It's nice to see people finally catching on.
Friends don't help friends install M$ junk.
I work for the Child, Youth and Family Development department. We use Windows on the desktop, Novell as our file server and SuSE Linux for everything else. Currently we are transitioning away from HPUX to an IBM BladeCenter environment running VMWare and SuSE. We have one major application and several minor ones. The major app, a client tracking system, was developed in house and runs Sybase as a back end. Eventually we plan on porting it to use Postgres and releasing it as open source so that anyone in need of a client tracking system can use it.
This is the real beauty of open source in government, not leveraging the work of others by running open source systems, but leveraging the large development force that most governments have to share in house apps wit less of the usual inter-agency squabbling. An agency that might be wary of using a non open source application developed by a rival agency will be less wary of using an open source app that just happens to be developed by said rival. Instead of reinventing the wheel, in house development staff can cooperate with other staff in other agencies.
That the DoD would recommend open source is exciting, because it really is a good fit for government agencies. Believe it or not, our little state government IT department is better run and more on the ball than most IT departments that I have worked for in big corporations. Moving to Linux hosted on blades running VMWare has freed up a lot of resources to plan for the future that used to be used in just putting out fires.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Because the exact same complaint applies to proprietary software. It is not true that anyone can introduce code into an OSS project. While everyone can make their own private modifications to the source, that is entirely different from getting your code accepted into the official repository. Every reputable project out there restricts commit permission to developers who have proven themselves usefull. All other patches have to go through one of the main developers first. Now these "trusted" developers certainly could insert malicious code, and given the division of labor it may very well go unnoticed by other developers (ESR's million eyeball theory is bunk).
However, this is no different from a propietary product. These are often developed by large teams, working under unacceptable deadlines. Therefore, code reviews don't always happen, or are not a vigorous as they could be. Those conditions could also lead to disgruntled employees, some of which won't have the highest moral resolve. Some companies don't have the highest moral resolve, and will knowingly put malicious code into their product. It is just as possible for malicious code to get into proprietary software as open source software.
So what it boils down to is that OSS is no different than proprietary software in this regard. If you trust Windows, you should also trust Linux. If you trust Photoshop, you should trust Gimp. If don't trust Joe Sourceforge, then you also shouldn't trust Joe Shareware. Sometimes knowing that a product is widely used and reputable is good enough. Sometimes it isn't, and in that case you either need to write it yourself or, like you said, audit the code.
Of course if the military does a code audit on Linux they would have contribute back the patches so it is a win win situation.
Show me the section of the GPL that stipulates this.
Don't bother, it isn't in there.
The Government (or any contractor) is under no obligation to release the results of any derivative works back to an upstream source. If a contractor like Northup Grummond did do a code audit and made patches, they'd only have to release these improvements to the customer (DoD). DoD could take or leave the source code.
That's what people forget about the GPL, just because you sell something to one customer doesn't put you under any obligation to provide source to anyone else. It's a requirement of distribution, but it doesn't dictate your DISTRIBUTION GROUP.
Which is why it irks me when people complain about the viral-ness of the GPL. It's not like it'll enable China to see your source code or anything if you use it as a government contractor.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
If Shelley is against it and Tristan is against it it must not come to pass!
Forget outsourcing. Software companies that don't manage their development process closely enough (and that's most of them) often end up with unauthorized features. Usually they're added because somebody thought they were cool, but backdoors are not unknown.
I used to work at Borland, and the developers there are notorious for adding features totally on their own initiative. In one famous case, the unauthorized feature was a back door in a widely used database server. This back door was probably not created with malicious intent, but the security effect was the same. Any bets as to how many other similar back doors exist that haven't made the news?
The Interbase back door was only discovered when the product was open-sourced. And that nicely illustrates why open source is more secure than closed source. Borland's blunder demonstrates that you can't secure software simply by making source creation "employees only". A company can monitor the development process in order to prevent developers from creating security problems — as Borland should have done — but how do you separate companies with good auditing procedures from those that just claim they do? By contrast, opening up the source offers objective evidence as to the software's security — or lack thereof.
The WGA debacle has proven that WIndows update is a security risk. Not running Windows update is also a security risk. When non US governements will reach the conclusion that they need to move off Microsoft software? It is a matter of national security.
...your rifle was made by the lowest bidder."
That's a relatively old joke in the Military, and a relatively sick one when you consider the problems of faulty weapons (e.g exploding in your hands). But it points to something pretty basic. When it comes to things the DOD is rewarded for going cheap. This doesn't mean that they won't but they are rewarded for trying. In this gig Microsoft is at a disadvantage as their competitors are a) Free, and b) can be taken under total control by the DOD. Remeber that in-house changes to GPL'd code need not be released. Microsoft on the other hand is likely to worry about in-house changes to their stuff (e.g. document security restrictions for Office).
While I doubt Stallman will be welcome any time soon keep in mind that Theo De Raadt and the other BSD people have been welcomed (and financed) by the DOD before now. Ditto things like SELinux. In many ways this is only surprising because it took so long for them to say openly.
funny how these days EVERYTHING that a politician is intersted in is always considered to be "good for national security"... in any case, nothing says 'secure' like giving out blueprints to a part of your infrastructure... fucking idiots.
sigs suck
What will be the response of the big DoD contractors? Will they nod their approval and adopt the new DoD IT process, or will they join with Microsoft and try to keep the status quo (including spreading more FUD)? Initially they will most likely do the later as they tend to make more money by building the same closed, expensive thing over and over. Reuse is not in their best interest. Open IP is not in their best interest as their competitors might be able to use what they perceive as their IP. Many make a lot on per-unit sales and markup of COTS, often with most of the markup due to the software.
Only if the big contractors can be encouraged to conform and adapt will this succeed. They are in the business of making money and don't care to reuse code or build an open widget as they make as much money as possible on closed, proprietary, limited functionality, complex systems. Their goal is to maximize shareholder equity. Today, closed is best and maximizes the equations. OTD/OSS would hurt their markups; remember the $500 toilet seats. The same applies to software and IT in the current market. OTD/OSS would upset the apple cart and hurt their profits and hence the bonuses of management. Also, many companies in the US can't think past the next couple of quarters, but OTD/OSS adoption is a strategic change that will take years to implement. I run into these problems daily but thankfully am in island of OSS.
A further problem is one of mindset. Many in the Government, especially the DoD support world know only Microsoft as that is what DoD has been buying, it is the "safe bet", and it is what "just works". It was the lowest cost alternative. There are a lot of MSCEs out there that support DoD (I know many at the pentagon and in the DC area). Changing to an OSS mindset will require retraining and relearning how to do things with other than a pretty, nice, shiny point-and-click GUI (the chief button pusher at Spacley Sprockets is an MSCE working for DoD).
However, if DoD can phase this in with the buy-in and cooperation of the large contractors, it will work.
What can you do to help? Work with DoD and their contractors to help, starting with open standards and protocols. Encourage the use of open tool chains and standardized, OSS platforms. Help establish systems to vet the source code and verify changes (BSD does some of this now). Encourage the use of OSS collaboration tools that foster best practices like bugzilla and subversion. When FUD appears, counter it not by emotional anti-FUD but by well thought-out, factual dialog with all parties, leveraging the court of public opinion.
At least as a US citizen. Companies like Microsoft (Microsoft specifically) are a pretty big part of our economy. I don't think I have to even say how much money is coming into the US economy with each OEM computer bought out there putting probably $150 into our economy including MS Windows and Office.... Open Source is good for the global interest, yes, but I don't think so for the United States interest. It's easy to continue riding a wave of success (Like Microsoft has done for the past couple decades), but the combination of the United States decline as an innovator and common-sense idea that people from one country are not smarter then people from another in general makes me think that if Open Source ever overthrew closed source, it's likely the companies making money off from it might not be based in the US....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
I've been telling my bosses this for 2 years! Maybe now they'll listen...
Or have you only comfort...that stealthy thing that enters the house and guest then becomes host, then master - KG
To: Department of Defense, Source Distribution Department
From: Kim Jong Il
To Whom It May Concern,
In accordance with the terms of the GNU General Public License, I'd like to receive a copy of the source code for your Pacific-based Ballistic Missile Defense System. I do not require it in CD form; please simply email it to me at the above address (k.il@korea-dpr.com).
Thank you for your prompt fulfillment of your obligations under the GPL.
Sincerely,
Kim Jong Il
The recommendation by the DoD isn't specifically to use open source software, though that'd be one possible implementation of it. What they're recommending is that the DoD build a foundation upon which code and standards can be shared in the way that open source tends to do. The current situation in DoD is that basically every project writes its own code, so the software in a GPS satellite may well be entirely distinct from the software in a communications satellite, even though they could both be cheaper and more reliable if they were to reuse code and standards. It's the methodology, not the actual code, of the open source movement that they're interested in.
Haven't made it through the whole thing yet, but FTR:
The business model of purchasing physical goods and services has served DoD well in the past; but it falls short when applied to software acquisition. By treating DoD-developed software code as a physical good, DoD is limiting and restricting the ability of the market to compete for the provision of new and innovative solutions and capabilities. By enabling industry to leverage an open code development model, DoD would provide the market incentives to increase the agility and competitiveness of the industrial base. Currently within DoD, there is no internal distribution policy or mechanism for DoD developed and paid for software code. By not enabling internal distribution, DoD creates an arbitrary scarcity of its own software code, which increases the development and maintenance costs of information technology across the Department. Other negative consequences include lock-in to obsolete proprietary technologies, the inability to extend existing capabilities in months vs. years, and snarls of interoperability that stem from the opacity and stove-piping of information systems.
Absolutely.
There are over 100,000 publicly available open source projects available spanning most functional areas.4 Many of these projects provide mature and robust solutions in their areas of focus. When possible, OSS components should be leveraged rather than funding the development of equivalent proprietary components for specific programs.
Damn Skippy!.
Challenges Culture and Process The primary challenges to this transition will be cultural, not technical. Over time, government acquisitions and development processes have built a bureaucracy and rewards system that encourages and supports the status quo. Careers are advanced primarily on program size, not necessarily overall efficiency. Furthermore, government contractors are measured by revenue; government program managers are measured by the size of their organization and their overall budget. The canonical government contracting process creates high entry costs for small innovative companies -- the established contractors attempt to control their positions through proprietary implementations and interfaces. The system is very good at protecting itself -- new approaches, such as OTD, will have to endure legal, security, and process challenges. The current infrastructure will attempt to delay change, claim they are adapting by trying to assume control of the innovative process.
My Favorite Quote is in the DOD report.
There is one thing stronger than all the armies in the world, and that is an idea whose time has come.
-- Victor Hugo
All in All, I'd say the guy in charge of this report knows his stuff and I for one, welcome our new OSS-using DOD overlords.
OSGGFG - Open Source Gamers Guide to Free Games
Wouldnt open source be easier to hack since anyone can look at the source code?
There's a technique for completely countering the "Trusting Trust" attack, called "Diverse double-compiling". See my web page on countering trusting trust through diverse double-compiling, which includes a link to a paper describing how to do it, and an example where it's been done.
- David A. Wheeler (see my Secure Programming HOWTO)
In fact, Mitre told them that they were already using FOSS so much that "...banning FOSS would have immediate, broad, and strongly negative impacts on many sensitive and security-focused DoD groups to defend against cyberattacks." (Quoting from the executive summary)
:)
You can read the whole thing here. So, it's taken four years for the DoD to finally put in place an official policy encouraging the use of FOSS when the guys in the trenches have apparently been doing so routinely for about a decade. Typical.
I said that any trusted system should have a complete code audit done. And that it really didn't matter if it was open or closed source.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
In addition, alternative lanuages and tools tend to be stifled in so-called "open" (read group) environments, because the rest of the group immediately pushes to have the alternative tool or environment removed, unless the group agrees that it is a good idea.
How on Earth is this different from working for a company on a closed-source project? In fact, such a decision to stifle an alternative tool is frequently made by non-programmers in a closed source environment or by higher-ranking programmers in an entirely undemocratic fashion.
In open source, you're always free to fork the code and leave to pursue the solutions you think are best. This isn't true in a closed source environment.
It seems that a lot of the open source push has been a reaction to the fact that many of the development tools we use are not at a high enough level of abstraction. If you abstract away from code and languages where you are doing your own memory management, one would think that you would experience fewer memory-related programming issues.
What, do you think some sort of Open Source Illuminati is using bribery, blackmail, and beatings to force all Open Source projects into languages you don't like? People use low-level languages in Open Source projects because it's what they know and what they like. Unlike working for a company, you are perfectly free to choose a higher level language if you want for your project.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The military security folks have been saying for decades "Don't run any software unless you have the source code all the way down, plus the circuit diagrams. If you don't, you have no idea what might be hidden inside."
So the DoD's decision makers are listening to their security experts?
I guess maybe it is news.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Are you some kind of idiot? In a few years some other guy will be in this guys position and will have a different take. When I say fragmented, I mean 100 different domain controllers and methodologies, and ever changing management.
You sound just as bad as the MS apologists. The fact of the matter is you can deploy decent solutions in either open source or closed source, and if you know anything about IT problems in govt you would realize that neither will cure the disease that ails it. You open source guys sound really needy more than anything.
Mr. P3NIS_CLEAVER to you bud.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
HillyTwit strikes again!
Between the government stating the obvious, DRM and corporate rip offs, M$ is losing most of it's fan base.
Are they? Lots of people (outside Slashdot) are very eager to get their hands on Vista. Windows is still very widely used due to its support for games, its supporting the only fully usable office suite available and its instant accessibility to most computer user's around the world. As far as it goes, people don't care about DRM, because it doesn't actually affect them; for people who want to watch movies on their PC or DVD player or play music on a portable device it won't do much harm.
DRM disasters are turning off home users and reviewers because the systems are so buggy that all of M$'s hardware lock-ins and driver advantages are negated.
Not really. Home users don't care because it doesn't affect them (see above).
Now everyone can look back at the things M$ has said about security and think, "those people are not very honest." All of that animosity makes it that much easier to advocate free software.
Or, conversely, they might just not give a shit and want to get on with their lives. There's not going to be a mass migration to Linux any time soon, get over it.
By summer it was all gone...now shesmovedon. --
You _really_ don't have the foggiest idea about the terms of the GPL, do you?
/sigh...
The US government would not be required to honor this request _UNLESS_ they had already distributed the binary for same to KJI.
See, If I make a distribution of something based on someone else's GPL code, I _only_ have to distribute the sources TO THE PEOPLE I DISTRIBUTED THE BINARIES TOO. I don't owe anybody else anything at all under the GPL.
In fact one basic technique is to distribute the sources with the binaries and then rely on the individuals losing the sources. I don't have to make multiple copies available for all time. I _may_ promise to make the sources available for three years, or I can just burn them onto the same disk as the binaries and forget it.
And _IF_ I never distribute the applicaiton outside "my organization" (say "the US government" is my "organization") I don't ever have to release the sources to anybody. "My Organization" already has the sources (because I have them and I am in "My Organization") and nobody else is using the code.
People need to _read_ and _understand_ their licenses, and if they cannot read them competently, get competent help reading and understanding them.
For instance, do you understand the implications of using --static when building against LGPL libraries? I bet you don't... 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
For Stallman to agree, it would have to also be Free (as in kippers)
Flexible bare-metal recovery for Linux/UNIX
I'd go so far as to say that I bet half the security problems in Windows aren't even unintentional, but the hired works of the CIA-equivalent of every single country where Microsoft employes developers.
With open source these can be caught. With Windows they'd most likely be covered up, at least until all the anti-virus-companies get a fair change to make patches.
Maybe if our government used OpenBSD, we wouldnt have to worry so much about Chineese hackers.
Klingon Software is not released, it escapes, inflicting terrible damage onto the enemy as it does
I think you fail to grasp the fact that I was making a joke. I actually understand the terms of the GPL very well, having researched it for my startup. The premise of my joke was that the DOD had directed its contractors to develop missile defense systems under the GPL free software license, and was then obligated as a customer of those contractors to release the code. In the real world this would probably never happen, since even if they chose the GPL (which I doubt they would), I believe DOD could simply break the license if "national security" demanded it. Anyway, I would rather be a troll than a hysterical GNU Zealot any day...
On a more serious note, if the DOD decided to make its software open source under less restrictive open source terms (e.g. Apache-style), they would still be giving away national security secrets by the basic act of opening the source, even though they would not be obligated to release any subsequent modifications to the public. On the other hand, taking open source software and modifying it internally (and secretly) is probably a great strategy, since it tends to be more reliable and modular, IMHO.
You're quite right on all counts.
However I'm interested to know if the military bothers to stay in compliance when they sell military hardware to other countries. If they sell some missiles + ground guidance system to another nation, and it includes GPL-derived software, do they actually bother to give the source code?
I know that the military in general does not like people reverse-engineering the hardware they sell (even to friendly countries).
Or maybe this has never actually happened in practise?
Not gonna happen.
At least not on a large scale. I know for a fact that the Army has spent a ton of money to move to Active Directory and I think the Navy has done the same. They are not going to chuck their whole investment because of one report.
Uh... no. -1 Wrong, because with the GPL you are only obligated to distribute source code when you distribute binaries, and then only to the people you distributed said binaries to.
So in your hypothetical scenario, the contractors would be obligated to send a copy of the source code to whichever agency is responsible for loading the software binaries into the missile systems. Oh, wait... that's the DoD, isn't it?
Pirate Party UK
I'm glad someone else pointed this out. I work for a government contractor, and there is alot of FUD about the "viral GPL". There are huge misconceptions about the GPL. I've been to meetings where people have said that we can't use GPL code because we are obligated to send back the changes to the authors.
Meanwhile, the irony is that you typically give the govt customer your source code anyways. The government can turn around and give it to anyone else they please. It's the perfect place to reuse as much GPL stuff as you want, but we currently stand clear of it totally.
The US government would not be required to honor this request _UNLESS_ they had already distributed the binary for same to KJI.
This brings up some interesting questions. Does software on a missile count as "distribution"?
> "I actually understand the terms of the GPL very well, having researched it for my startup."
No, apparently you don't.
> "The premise of my joke was that the DOD had directed its contractors to develop missile defense systems under the GPL free software license, and was then obligated as a customer of those contractors to release the code."
Proof positive that you don't understand the GPL.
First and foremost, such software would almost certainly be a work-for-hire, and the copyright would presumably go to the DoD. The GPL is a DEFENSE against charges of copyright infringement! COPYRIGHT HOLDERS ARE NOT BOUND BY IT! If I write some code, license it under the GPL, and then give someone some binaries, he's got no recourse if I don't provide him the source, because I can't violate my own copyrights! Only the copyright holder can sue for "GPL violations" (actually, copyright infringement), and I'm not about to sue myself! And the person would end up with undistributable binaries (since they would not be able to comply with the GPL).
And even if the DoD didn't own the copyrights, neither they nor the contractors would be under any obligation to distribute the source to any third party. The "third-party" clause (3b) of the GPL only applies when you distribute (somebody else's) code in binary form without the source! Then you have to make a written offer to provide anyone with the source for three years. But the DoD would have to be extremely foolish to make such an offer. They don't have to distribute binaries at all, and if they do, they can use clause 3a, and provide the source up-front. In which case, their response to your imaginary letter could be: "I'm sorry, we do not distribute the source separately, but if you'll tell us where you got the missile, we'll happily sue the supplier for copyright infringement." Which would hardly further Kim's agenda.
Dear Mr. Jong Il:
Thank you for your interest in our Pacific-based Ballistic Missile Defense System (PBBMDS). The source code for the PBBMDS is only distributed with that system. We do not entertain requests from third parties to provide the source code. You may have been confused by reading clause 3b of the General Public License (GPL), however, we distribute the code under the terms of clause 3a of the GPL, which incurs no obligations to third parties. If you have received binaries of our code without the source, please provide us of the name and address of the distributor, as they have violated our license and copyrights, and we may wish to pursue legal action against them. If you have not receieved binaries of our code, please go pound sand.
Love and Kisses,
US Department of Defense
Uh oh, looks like someone let Twitter near an Internet connection again, despite the restraining order. And, sad to say, it appears that the current regimen of anti-psychotics isn't working, Twitter - be sure to tell your doctors.
But, it was nice to see you again! Your posts are always good for a laugh.
OS X, the rest of the BSDs, Solaris, Linux and others will fight for contracts; and they will all offer various cost/benefit analyses while adhering to the open standards requirements. Microsoft has the most to lose.
willy, you've gained so many friends in the past few days. I'm so proud! Maybe it's time to start forwarding these threads to your pals in the BRLUG? I'm sure they'd enjoy them very much. What do you think?
This was not really a seat. It was the piece of an airplane lavatory that goes from floor to ceiling, formed to include a place to sit your butt while you poo. It had to fit the cramped confines of a B1 bomber, which is a 4-man supersonic swing-wing plane. That's going to be a small order for a custom-molded part. You try getting such a good deal!
BTW, the "hammer" was a calibrated device that could be adjusted to limit the impact. This presumably avoids damaging something that would be very very expensive to replace.
The government may have source to look at, but not be allowed to distribute it or even recompile it.
> "So in your hypothetical scenario, the contractors would be obligated to send a copy of the source code to whichever agency is responsible for loading the software binaries into the missile systems."
:)
Although I agree with almost everything you said, I have to quibble with this part. If the contractors hold the full copyright on the code in question, then they would be under no obligation to anybody! The GPL is not binding on the actual copyright holders, except as promissary estoppel against infringement lawsuits. The contractors are not going to sue themselves for copyright infringement, and even they did, they'd lose, because they already have permission to distribute the code under copyright law, and don't need the permissions granted by the GPL!
The GPL only exists to defend against copyright infringement suits. If you're not potentially infringing someone else's copyrights, the GPL is effectively meaningless.
Yes, this means that someone can license their code under the GPL, and then only release binaries! Those binaries would simply not be redistributable (since nobody else would be able to comply with the license). It would be a strange and rather pointless thing to do, but perfectly legal. Not even a problem for the people who received the binaries, since using a binary that you've obtained legally is not copyright infringement.
Of course, this only applies if you own the complete copyright. If you've created a derivative work, it's a whole 'nuther story. Still, I think this edge case, as far-fetched as it is, really helps illuminate how the GPL actually works.
Very well. Back to the drawing board for me, I guess... clearly, IANAL.
PS: Thanks to all for the corrections, I do appreciate the opportunity to learn from my errors.
For a substantial look at what the existing recommendations are, take a look at this excerpt from DOD directives on secure computer systems. It says that open source is ok but freeware with no access to source and no support is bad. Seems reasonable, no?
0 02_020603/i85002p.pdf
"DCPD-1 Public Domain Software Controls
Binary or machine executable public domain software products and other software
products with limited or no warranty such as those commonly known as freeware or
shareware are not used in DoD information systems unless they are necessary for
mission accomplishment and there are no alternative IT solutions available. Such
products are assessed for information assurance impacts, and approved for use by the
DAA. The assessment addresses the fact that such software products are difficult or
impossible to review, repair, or extend, given that the Government does not have access to
the original source code and there is no owner who could make such repairs on behalf of
the Government."
Source: http://www.dtic.mil/whs/directives/corres/pdf/i85
(search for the word "freeware")
Christ, you have no idea what we actually do here. And you have no frickin idea what some of these kids have gone through, so zip it. Foster care for orphans, detention centers for kids who commit crimes, aid for families in crisis, there's a lot more to CYFD than just taking abused kids away from messed up parents.
The last point you make sounds suspiciously like the excuse an abuser would make. Sorry if you were a bad parent and someone took your kids away. Doesn't negate the good work we do.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
A vengeful inlaw made an anonymous phone call to get even with me. She had gotten herself approved to be a foster home, but had refused to take any kids so far, thus having available space. She was trying to push me out of the family, engineering a divorce by forcing my wife to choose between me and the kids. My wife didn't go for it; we wasted $6000 on a lawyer to fight off a fucking anonymous phone call. We didn't have $6000 to spare. Many people would have no hope of paying that, so they automatically lose.
You always assume the abuse is real. I mean, people wouldn't phone in anonymous tips if there weren't serious emergencies, right? It's guilty until proven innocent. Crap, you immediately assume I was a bad parent. What a nice person you are.
We don't need underpaid idiots making life-changing decisions for families in a matter of a few hours spread over a few days. Being in IT, perhaps you are unaware of the federal quotas that provide extra money if you take enough children away from their rightful parents.
Well, I'm sorry if you were in fact a good parent and got screwed over by the system. There certainly are problems but the system does more to protect children than harm them. For every case like yours there are fifty where the child was in real danger, and like I said, taking children from their families is not all we do.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Sure, it's possible that malicious code could get into OSS and make its way into secure systems. But the exact same thing is true for proprietary software.
US companies have people working for them that have no security clearance and could easily be a foreign agent. If anything, the commercial code is more at risk, because there's no independent review of the potentially compromised code. At least if someone's contributing to Linux you know somebody's looking over their patch. With a proprietary company, who knows what kind of process goes on? That lack of transparency makes commonly-used proprietary vendors a better target for espionage than OSS, IMO.
My thinking was along the lines of someone say in a contractor working for the DoD since they don't have a lot of internal manpower for things like that. What talent they do have for efforts like that are probably tied up evaluating any custom code that they deploy widely. On the other hand, most DefCons rarely contribute fruits of labor back to OSS projects because it is viewed as some kind of intellectual hemmorage which doesn't maximize shareholder value. :-|
Why let your competitors enjoy the fruits of your labor?
The Def Con would rather use that audited OSS stack as a baseline for a COE which they maintain (support contracts, YAY!)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
The Balistic Research Lab released BRL-CAD under the GPL.
It's a CSG modeler. Fairly slick from what I've seen in the week I've been messing with it.
I doubt you can honestly determine if a child is in danger. You certainly can't determine the quality of an investigation by anything dependant upon the investigation itself. That's a circular proof.
You can retroactively determine danger if and only if the family is not destroyed. On occasion, this makes for bad press. There is no way to determine how many decent families have been destroyed.
The concept of "innocent until proven guilty" does mean that a few evil people (serial killers, terrorists, rapists, child molesters, arsonists, carjackers...) are free to keep doing evil. Despite this, the concept is a key component of a just and fair system of law. It is better to let many criminals go unpunished than to punish the innocent.
BTW, kids put in foster homes are more likely to be abused than other kids are.
Oh, my coworker's friend had problems too. He got in an argument with his business partner. The business partner phoned in a report that the daughter was getting molested. It seems a lot of people have no qualms about using socialist workers as a weapon for revenge. The system is ripe for abuse.
IBM has many customers, Govt. and Civilian.
:-D
Northup Grummond, Lockheed, TRW, etc. live and die by Govt. contracts and are not interested in new-fangled web-to-oh and wikiki-macalits or anything else "trendy" in the computing world. They have no relationship to maintain with the computing public at large, if you will.
I would wager that the use of OSS internally and for the customer is due to close relationships with Uni. labs and the graduates that come into those workplaces who know the territory.
But you know, if ONR or somebody is auditing some OSS and they make some patches I would expect them to be a lot more hip to back-contributing since they are supposedly working in the general interest of the US.
It's more like: I mean think of the paperwork involved in a public release of auditing results and patches from somewhere like SAIC. What project manager would want that headache unless there was a business case for it? I work for a non-profit who regularly contributes to OSS and it's a pain in the ass even then.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
This is true -- it's tough to make the USG give the code changes back upstream if they don't want to, but historically, the DoD has a pretty good history of contributing to the collective pool of IT knowledge for free (or rather, with a lot of US tax dollars) if there's not some reason why they can't do it.
At least when the government develops something, you don't have the automatic copyright problem that you do if it's developed privately. This is why the Ada standard manual is freely available and in the public domain, while you'd have to give an arm and a leg and your first several children to the ISO if you wanted to get the standard for C. Admittedly, not very many people probably want the manual for Ada...but it's there, if you wanted to read it.
When the NSA developed SELinux, they made it public, including the code changes -- quite a few people use that. They didn't have to release that, but they did anyway, and in fact still maintain a site where you can download their changes. (And the new modules that they actually wrote from scratch are public domain, not even GPL.)
If you wanted to sum up the USG as an entity, particularly the military/defense parts of it, they have a pretty respectable track record in terms of being good citizens with regards to sharing information and collaborating, when there's not any reason for them not to.
They'll obviously never share information when there's any kind of disincentive -- when it would compromise security to do so, for example (and if it really would compromise security, I wouldn't want them to and I don't think many people would) -- but I think their history ought to give them a little more respect than we give to many corporations, who seem to only release anything when they have no other choice.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."