Open Source In the National Interest

munchola writes "A new report from the Department of Defense's Advanced Systems and Concepts Office recommends that the DoD move to adopt open source software and methodologies as well as open standards in order to make the most efficient use of internal resources. According to CBR, the report states that a move to 'Open Technology Development' is not only in the U.S. national interest, but in the interests of U.S. national security. OTD incorporates open source methodologies and open standards, but also takes into account the fact that the DoD has systems that it would rather keep secret."

Training

[mo'o+ahi]

First, I generally agree that there are many areas where this will be of significant benefit. Unfortunately, there are so many problems across DOD right now due to insufficiently trainied operators/admins - this will make it significantly worse in the operational arena. I have been on board many installations to train people and was saddened by the lack of sound IT skills by those that are supposed to be managing the systems. Of the 100 or so IT personnel I have trained, I would say that 5-6 have the necessary mindset and skills to effectively implement OSS. Centralized control is a hallmark of DOD IT - and this flies in the face of that as well, from a cultural perspective. (not that this is a bad thing) So, this means that not only will they need to change the infrastructure - the culture will need to shift, which is a much longer term issue. Then again, this could be good for the network-centric warfare concept. It could inject a much needed does of innovation.

Verifying code

[Peter+Mork]

The chicken-and-egg problem is a big problem. If you need to verify the security of a system, you need to have written the compiler, from scratch. You cannot rely on a third-party tool, unless you can verify the compiler executable (not its source code). The article also notes that the problem is even worse: you need to verify that the hardware implementation of the instruction set is correct.

Don't get me wrong, I think that open-source is important. It just doesn't provide any absolute guarantees.

Re:Wait a minute!

[civilizedINTENSITY]

It is called GNAT: The GNU NYU Ada 9X Translator. "GNAT is a free, high-quality, complete compiler for Ada95, integrated into the GCC compiler system." Note that "The work was co-sponsored by ARPA and the Ada Joint Program Office." Also look at GNADE, the GNU Ada Database Environment.

Re:The anti-OSS people do have one point.

[thewiz]

FYI: The government already has several organizations that review source code and test software before it is accepted for use. Putting something that has not been reviewed on a government computer is a good way to lose your clearance.

Not recommending open soruce software

[flooey]

The recommendation by the DoD isn't specifically to use open source software, though that'd be one possible implementation of it. What they're recommending is that the DoD build a foundation upon which code and standards can be shared in the way that open source tends to do. The current situation in DoD is that basically every project writes its own code, so the software in a GPS satellite may well be entirely distinct from the software in a communications satellite, even though they could both be cheaper and more reliable if they were to reuse code and standards. It's the methodology, not the actual code, of the open source movement that they're interested in.

Countering Trusting Trust

[dwheeler]

There's a technique for completely countering the "Trusting Trust" attack, called "Diverse double-compiling". See my web page on countering trusting trust through diverse double-compiling, which includes a link to a paper describing how to do it, and an example where it's been done.