Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Dept. of Defense Creates Its Own Sourceforge

Posted by Soulskill on from the sharing-their-toys dept.

mjasay writes "The US Department of Defense, which has been flirting with open source for years as a way to improve software quality and cut costs, has finally burst the dam on Defense-related open-source adoption with Forge.mil, an open-source code repository based on Sourceforge. Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable and will almost certainly lead to other agencies participating on the site or creating their own. Open source has clearly come a long way. Years ago studies declared open source a security risk. Now, one of the most security-conscious organizations on the planet is looking to open source to provide better security than proprietary alternatives."

8 of 131 comments (clear)

  1. Re:forgemil.com? by imamac · · Score: 5, Informative

    Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

  2. Re:forgemil.com? by legirons · · Score: 5, Informative

    You know it's the right site, because its certificate is signed by the DoD CA.

    Except that CA isn't installed in any browser.

    And the site to download that cert is signed by the cert itself. Security by circular reasoning.
       

  3. Hopefully all the GOTS software will be there too. by robkill · · Score: 3, Informative

    In most cases, if software was developed under a government contract, then the government has full rights to the source code. It would be a great starting place for updating a number of existing applications. Version control and vetting of results could be problematic in some cases, but not impossible to overcome.

    --
    DMCA - Chilling free speech since 1998.
  4. For those of you trying to connect...read the FAQ by Bearhouse · · Score: 3, Informative

    "Though it currently only holds three projects and is limited to DoD personnel for security reasons, all code is publicly viewable"

    No, it's not. Code posted to .mil is only available to those with sufficient authorisation. The .com site is publicly available for those seeking more information.

    So, code will be NOT be 'publicly' available - only to those on secure. Kinda as you'd expect, but rather a long way away from real FOSS.

  5. Re:forgemil.com? by Anonymous Coward · · Score: 4, Informative

    forgemil.com is for public access to information about what the project/service is. It explaines, quite clearly, that to access forge.mil, you will need either a DoD-issued pki cert (CAC for you DoD folks), or a cert from a DoD-trusted source. All .mil infrastructure stuff is pki protected by policy. It also explains in the FAQ why you get the ssl warnings about untrusted certs. It also tells you how you can download the DoD root certs (they only provide installs for Windows; you'll either have to dig around to get the certs for other platforms or just create an exception in your browser).

  6. Re:forgemil.com? by Vertana · · Score: 4, Informative

    The reason for that is, you have to be in the DoD and you receive the cert by CaC (DoD ID cards which double as a smart card with your PKI certs and authentication information). This forces you to obtain the certs physically and in person at a DoD site (ie ID Center on a military base, etc.).

    --
    "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
  7. Re:Huh? by Vertana · · Score: 3, Informative

    Yes, which claims a standard United States Government agreement which claims they own the computer, the data, your soul and anything else that may come in contact with it... but it also states "Forge.mil is currently in beta with limited operational availability. General availability for unclassified use is scheduled for Spring 2009." So, one could safely assume (at this point) that with the PKI Certification that's needed and the agreement they expect only DoD computers to be accessing it at the moment. However, at some point everything stated will be changed (or they'll change their mission from being 'open').

    --
    "The best way to accelerate a Macintosh is at 9.8m/sec^2" -Marcus Dolengo
  8. Re:forgemil.com? by mysidia · · Score: 3, Informative

    Nice. It even points the user to ANOTHER non-.mil site to download a PKI certificate. That settles it for me. This is NOT the military.

    The homepage of the site they are pointing to https://www.dodpke.com/ Says the site has moved to: another url

    Which refers you to: this document

    Which states the following:

    Alternate method of retrieving DoD Root Certificate

    If you have trouble accessing the page listed above you can also visit the following page to download the DoD Root Certificates: https://www.dodpke.com/InstallRoot.

    The dodpke.com site is also linked by http://www.nsa.naples.navy.mil/bno/PKI/index.htm.

    I cannot conclude that this is a scam, it appears to be probably legitimate, or at least the cert information is legitimate.

    What they don't mention though is it's probably more secure to use a workstation that already has the certificate installed, download the file to a medium, then use the medium to install the certs on the 'fresh' workstation (No risk of man-in-the-middle while connecting with SSL to a site without a trusted cert).

    dodpke.com has a registration date in 2002