Slashdot Mirror
Free Can Make You Bleed: the Underresourced Open Source
jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."
It is over fragmented
If your business relies "critically" in its functions on such a piece of software, how would you as a business owner ensure the continuity of the "critical" function?
A. Hire someone to maintain and work on that software.
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL (though better packaged and you get to chat with the smooth sales rep)
What do you do?
From a bit different perspective (largely unix-practical) -- when not having enough resources, you are forced to keep stuff simple. That's usually good, isn't it?
Anyway, I always wondered why is OpenSSL such a bloated pile of code. It does one god damn gazillion things tightly packed. Now, TLS implementation itself is pretty simple, Key management tools are pretty simple, PKCS verification tools are pretty simple, mathematics behind that is pretty simple, commandline tools for quickusing the maths are simple, relationship between those entities ("APIs") are well-defined and usually clear. Who stuffed all of it into one project?!
PS. Bonus paranoia&FUD I saw today: http://pastebin.com/gjkivAf3
....the 'many eyes' phenomenon,....
And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.
This "you can't get anything bad through because the source is freely available" has proven to be horseshit.
The author works for the actual SSH company that sells commercial SSH software. Though the points may largely be valid, a lot of the slant in the article is meant to tell people "this is what happens when you don't pay for software, so buy our commercial stuff today. Because it can't POSSIBLY suffer from the same kind of mistake, right? Right guys? ...guys?"
SSH programmers make mistakes. The article writer has an agenda and it's quite obvious. There is no reason to assume SSH is of any better quality than OpenSSH. He even shoots his implication in the foot: "are you going to review two year old patches for errors? No, of course not." This is no different in paid software. If it gets missed during any sort of review, the hole remains. See the recent IE 0-day hole (which has only been around for over a decade) for proof that this is true.
If your business is depending *critically* on a piece of free software then don't be such a cheapass git. Hire a developer or allocate some of your budget to fund the project.
Problem solved.
SJW n. One who posts facts.
How many programmers does Microsoft have? Are their products bug free as a result?
This article is nothing but pure propaganda.
Free software may not be perfect, but, from a security standpoint, it easily beats microsoft, and most other proprietary software.
Cheap was always the way in for governments after beyond the 1950's. If any private or neutral gov was going to develop, market and sell complex cryptography they would find international standards and low prices blocking them. The option was to give up or sell out and go with weakened "international standards".
Free counters a diversity of unique or bespoke per seat, per user count crpto entrepreneurship over many countries.
No matter if it open source or closed source; as long as it can catch plain text, it is a good trapdoor.
Domestic spying is now "Benign Information Gathering"
The problem is that with "many eyes" all the eyes are assuming some other eyes are looking.
Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced.
Of course, paying money for closed source software is no guarantee that it's going to be adequately resourced either. Compare the two most recent, high-profile flaws, both very similar, in that they deal with memory allocation issues:
- Heartbleed on SSL has a team of 2, was extant for 2 years, was patched in 6 days, and the patch was available to anyone who used the software
- CVE-2014-1776 on Internet Explorer. Don't know how many people the team, was extant for 13 years, was patched in 6 days, and the patch was originally going to be denied to users who hadn't upgraded recently.
This does not seem to be an issue with closed vs open source development models - both have had major vulnerabilities extand for far too long, and both can turn around fairly rapid patches when needed. Doling out cash to Microsoft is no more effective at securing your applications than using free open source products.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
The only way corporations are going to carry their fari share of the burden is if they are legally required to. The only way to do that is to make them pay with $, its all they understand.
Libre software is being used by corporations to build gold-plated cages for consumers. Its time to stop playiong their game.
Our glorious leaders are fundamentally wrong on the concept that software tshould be "free to use for any purpose", it should be free to use for the purpose of ensalving us.
..and it quickly gets modded down, since it breaks the echo chamber here.
Seriously people, think about it, giving your services away for free makes no sense. No one else does and, contrary to say, volunteer doctors who help poor people (doctors without borders) free software benefits mostly corporations.
The problem is not that the software is free (as in open). The problem is that people (and companies even more) perceive it as free (as in beer). That that's the main misconception.
Companies want to cut corners by using OSS. They don't do it because it's easier to review, easier to adapt or easier to find someone who can audit it sensibly. They want it because they can grab it and use it without having to pay anyone for it.
And that simply won't fly. Because that entails the "can't someone else do it?" attitude. Yeah, the code should be reviewed. But someone else will do that, we needn't spend money on that. And it should be audited, but can't someone else do it and we save some money?
Funny enough, the fact that anyone can review, audit and fix things is also the reason why nobody does it. It's a bit like that job in your company that anyone could do, and since anyone can do it, everyone relies that someone else will. There's so many who can, at least ONE of them will. Right? RIGHT?
And since the fact that it is "cost neutral" (to avoid saying the ambigious free) is one of the criteria, if not actually THE criterion, why an OSS product is chosen 999 out of 1000 times in a corporation environment, you may rest assured that the same cheapskates that chose OSS because they can pinch a penny will not spend it on auditing it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Ignorance is bliss.
http://cve.mitre.org/cgi-bin/c...
More specifically related to SSL:
http://cve.mitre.org/cgi-bin/c...
http://cve.mitre.org/cgi-bin/c...
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
....the 'many eyes' phenomenon,....
And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.
This "you can't get anything bad through because the source is freely available" has proven to be horseshit.
Some people are under the assumption if you release something open source, you will get hundreds of volunteers lining up to work on it. And when they do, they will work on EVERYTHING. Truth is unless your project is "sexy" it's hard to get developers. Look at Linux kernel, a lot of the development is done by paid developers (not a lot sexy about the kernel). Look at where projects spend their focus: Firefox reinventing the UI again, Compiz Wobbly windows, usually any application that can be skinned, has 400 skins for every useful plugin. Meanwhile things like performance, or user documentation gets neglected.
Don't get me wrong, I think there's benefits to Open Soruce development models, I just don't think open sourcing something means hundreds of people are looking at it.
But you do get a "lot less bad though". Compare open source to closed source and compare the problems and the number of those problems. Close source security problems lead the way by a long margin.
No system is perfect but open source is closer to that ideal than closed source.
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
..and it quickly gets modded down, since it breaks the echo chamber here.
Seriously people, think about it, giving your services away for free makes no sense. No one else does and, contrary to say, volunteer doctors who help poor people (doctors without borders) free software benefits mostly corporations.
The thing is that there is an argument that it is fundamentally unethical to not give away your source code. If you want to argue with that it's not enough to just say "but it's nice to not give away the code". Lot's of unethical things can be said to be nice. That does not make them ethical. Saying that you can't make money if you give away the code does not actually do anything to address the argument that the free software fundamentalists pose, so they're not likely to be swayed by that sort of reasoning.
If you want to argue with the free software fundamentalists you either have to say that they're wrong and that there is no ethical imperative to give away code, or say that there is a conflicting ethical imperative, for example you might argue along the line that it is unethical to do work for someone else without the expectation of market-rate income for that work. After all, what would happen to the economy if it became the norm that people should deliver services without getting money in exchange? The whole monetary system would grind to a halt. Of course, some might say that that would be a nice consequence.
Don't confuse licensing terms with the availability of the source.
Timing is pretty convenient. We have a tale of two exploits:
-Heartbleed. Open source project. Huge catastrophic bug, existed as of beginning of 2012. Fix available pretty much immediately upon discovery. As a result, significant resources are pouring in to proactively examine OpenSSL, some fixing and some forking OpenSSL. One way or another, the fix was immediate and concerned parties are empowered to do what they think is needed and the open source world will have risks mitigated as well as closed source being able to make their own call since it is BSD licensed.
-MSIE vulnerability. Closed source. Analagously large bug (albeit client side instead of server side by sheer luck), has existed since at the very latest 2008, but probably as of 2001. Fix was over a week in coming after disclosure. If you are an organization standardized on IE, you were largely SOL with respect to a fix (though mitigation through tedious security settings was possible). Maybe MS ramps up an internal effort to root out more of these, maybe they don't. They seem to have been in a more vigilant stance as a matter of course and that wasn't enough to stop it.
So in other words, very important projects with huge responsibilities can cock up. They can be open source, they can be closed source. The practical lower bound of resources to address issues in both cases will be small when no one knows something is wrong, but the upper bound when concern happens is much higher in open source.
Some have argued that the 'any bug is shallow with enough eyes' was proven wrong with heratbleed. Discovering security bugs are always more tricky than the bug intended to be considered in that philosophy, but even then once discovered, the bug was very very shallow.
XML is like violence. If it doesn't solve the problem, use more.
Who woulda' thunk it? You Get What You (Collectively) Pay For. It doesn't matter if "payment" is in the form of money or manpower. If software you use is built by labor effort much smaller (in cost and/or size) than is usually needed for a project of a particular size or complexity, it should come as no shock that the product ends up not being the quality it needs to be.
> discuss how to fix some legitimate shortcomings
Is that a joke? This article is not about fixing problems, it is only about smearing F/OSS.
The article is entirely one-sided. It is meant to make F/OSS seem insecure, while completely ignoring the fact that proprietary software is just as bad, if not worse.
Oh dear, yet another Harvard BizSch / Big Business canard that FOSS is governed by the contraints of closed software. Resources only matter when they are restricted -- ie only [certain] employees can fix the code.
FOSS does not have this restriction _AT_ALL_ and that is one of it's greatest strengths. Torvald's "With enough eyeballs, all bugs are shallow." Yes, limited resources may mean it takes a while for an offical patch (still quicker than MS) but unofficial patches can and are generated by anyone interested and capable within minutes.
One follows from the other. If your Free license says that anybody that works on your product is required to give away their efforts for free-beer free, it should not be surprising that it's difficult to find companies to spend money on something (like paying a developer) that won't give them a competitive advantage. This, incidentally, is why we have taxes; it forces people (and companies) to pay for the common good. We wouldn't have much in the way of public works if they relied solely on charitable donations and user fees.
This is a persistent weakness of Free software, but you'll never get RMS to admit that money to pay for programmers does not magically fall from the sky. People are cheap, and if they can get something for free, it's no shock that few of them will pay for it.
In my mind, an ideal software license would have the following;
1) Mandatory Code Release (This gives you some software Freedom)
2) Payment required to copy and/or use the software.
3) Some sort of revenue sharing scheme so that any contributors to the code receive a portion of the funds collected.
Think of it like a "software co-op license"
(This, incidentally, is how industry standards commonly work in the hardware business. You want to implement the IEEE 1234.567 standard? You pay up a standard fee per implementation, and that's doled out to the contributing companies.)
They overlap and interact in unexpected ways, along with the theft economy and the subsistence economy. OpenSSL is a prime example of these overlaps and the complexities of trying to manage all that socially. Should the planned government economy make the code work via tax-supported staff of a government agency? Should businesses exchange money for more development work and support services specific to their needs? Should more developers just donate their time or individuals donate their funds to make OpenSSL work better? What mix makes sense? Especially for software of such global importance?
I talk about the interaction of those five types of economic transactions in general in a youtube video.
https://www.youtube.com/watch?...
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
Open source software makes sense. Free (as in gratis) software makes no sense
The problem is it's very difficult to effectively have the former without the latter. People are very relucant to make significant source code contributions when their is an asymetry in the relationship (you see this even in projects with contributor agreements) and setting up a system to pay every contributor fairly would add massive beuracracy.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
So how many developers does OpenSSL need for maintaining the code base?
Troll is not a replacement for I disagree.
When you have a widely-used, yet complex, product that nobody has to pay for, doesn't require tech support (unlike, say, an OS), doesn't have any provisions for proprietary (i.e. non-free) features, and isn't really much fun to work on (unlike, say, a compiler), it should come as no shock that it's somewhat difficult to recruit enough eyeballs to look for all those bugs.
Yep, a patch can be issued quickly, but a project with sufficient access to resource ahead of time breaks less to begin with.
Heartbleed was the result of someone adding an optional and useless feature to OpenSSL that should never have been added in the first place. That's not a problem with having insufficient resources, it's a problem with poor management.
If it has anything to do with resources, it's a sign that people on the project have too much free time on their hands, because if there had been anything important to be done, people wouldn't have the time to add this feature.
One of which was the Intel 80386 processor, and which apparently has been a big maintenance thorn in everyone's side for a long time. While there are still plenty of 486 computers floating about out there, 386 and below machines seem to have long ago ended up in the trash.
Understaffed to save money with a huge backlog, insane deadlines, cut corners, and massive scope creep. So what's his point?
putting the 'B' in LGBTQ+
Why do you think every open source project on the planet is constantly begging for money?
The problem is once you make something open source you also automatically make it free (as in zero selling price). How can you charge me money for something if I can get the source and build my own copy for free?. Open source is great in theory, but in the real world we now have many years of proof that open source destroys the ability to get paid for your work.
That's why Redhat, who opensources all their code & automatically makes it all free, can't make money. Except they have over $1 billion in revenue.
CentOS and Scientific Linux bundle all of RedHat's stuff, compile it, and make it easy for anyone to download & install and run. It's hard to tell the difference between RHEL and CentOS. If I need to spin up 100 VMs, I can grab CentOS, test it all out, then apply that to RHEL VMs that I've purchased licenses for so I can get support.
In a way, it's like Technet (was). I pay a small fee, get many copies for testing, non production, then by the real thing for deployment. Except with RHEL, I can choose to deploy the CentOS and forgo support. I'm sure there are some that even deploy the technet versions of windows in production.
VMware also gives away ESXi w/o some of the features. It's good enough to run a home lab.
How can any company make a living in these scenarios?
Inadequate resources is hardly the exclusive domain of Open Source projects. Nor is a failure to adequately vet code particularly reflective of an open development model. The insecure, buggy code in the devices used in the world's infrastructue display those facts, perfectly. Device manufacturers tend to focus on hardware, underfund and understaff their software development and demand unrealistic delivery times. These are, by and large, proprietary endeavors.
Except in the imbedded markets where there are still 386's. We just had one bank buy out branches in our area and guess what, the ATM they replaced had still used a 386 as the core gui driver. They endedup totaly replacing it because they could not find anyone who knew how to change the codes between the gui section and the data line (that they changed from POTS to ISDN but that is another 'we are 20 years behind' deal). SSL is wrote in C to keep being used by old garbage like this becuse it costs to much to upgrade them and many people do not even know they are still there.
AC because I forgot what my /. account was 10 years ago.
I don't trust "free" software. And never will. If you pay for software and it does not perform, you probably have a comeback on the vendor. If "free" software does not perform, you have no comeback on anyone, OpenSSL being exhibit one. And in case anyone was wondering, the ONLY reason "free" software has been so widely accepted by corporations is because it is supposedly "free". IMHO, free = crappy.
...where the CEO's idea of the time it takes to develop anything is off by a factor of five, and every developer is also an IT guy and half a dozen other things, how exactly?
Open source is not different from communism... Open source is principles of communism applied to software.
You are confusing giving access to the code and making such access free. I know of several companies that, for example, put the code in escrow so that if the product ever stops being supported customers can access it and modify it. Notice how this reaches a balanced compromise between your need as a user to see the code and the company to earn an honest buck from providing you software services.
Simply changing the license would achieve this. The point is FSF/OSF fundamentalists aren't even trying.
Programmers need to stop and think about the fact that giving away your labor for free to the benefit of corporations is absurd.
OSI Certified(tm) open source software is distributed under a license that conforms to what are essentially the Debian Free Software Guidelines. And these guidelines include free redistribution.
"user documentation" along with the elusive and mystical "technical documentation" comprise the missing holy grail of all software development whether it be open or closed.
The ones now complaining about how risky it is to rely on open-source software are exactly thos thousands of companies who just use open-source and never give anything back, usually not even provide a patch ever. It is not the fault of open-source it is the fault of greedy assholes who just take, never give back and then complain and bash.
Companies routinely underfund development staff, overwork them, and then end of life products in order to shove 2.0 out. I don't know why everyone's making a big deal out of 'heartbleed'. There have been exploitable faults in open and closed software many times before, some of which have been worse.
I think the meme here is 'obvious troll is obvious'. Open source doesn't mean that the software is free, it means that copying the software is free. Writing it in the first place, fixing bugs, and adding features are all things that someone has to be paid to do (although sometimes people will do it simply in exchange for being able to use the resulting combined work, effectively doing it for free because it's something they need or want).
The problem in the case of OpenSSL is that everyone needs bug fixes and security auditing, but no one was making a coherent effort to sell such a service.
I am TheRaven on Soylent News
Seriously people, think about it, giving your services away for free makes no sense.
Since when does open source mean giving away my services? I get paid quite well to write open source software. My service is writing code, not copying code. I'm happy for people to copy the code for free, because copying it doesn't require any effort on my part. Having a body of open source code available expands my potential set of customers quite a lot, because a lot more companies can afford to pay for a single feature to be added to an open source codebase than can afford to pay for something to be written from scratch that has that feature.
Or are you seriously arguing that the model that makes the most economic sense is to write software for free but charge people for copying it?
I am TheRaven on Soylent News
If the license was copyleft license such as the GPL, any time a company made changes and distributed it, they would have to contribute back, encouraging them to pay the developers. The problem is they decided not to force companies to distribute the source to any binaries they distributed, so companies can just make proprietary versions of the software and not pay developers to work on the open source project.
It is possible for even free stuff to cost a lot more than it is worth !
The title was about openssl having a lack of resources. Two people only to support OpenSSL --wow.
The comments were how bad it was to only have two support people for OpenSSL.
Here is how I think that support dropped down to only two people.
a) In the beginning of the project there were many many eyes on the sources, and it evolved over time to be very bug free.
b) As the reported bugs began to diminish, one did not need 50 people to solve 10 bugs. Ergo, many of the active developers and analysts moved on.
c) Bugs finally started to not be reported, ergo, why should a legacy product, if it is working and it does not break need support, even if it does something useful.
d) Those who put the most into the development have an attachment to the product. They will continue support and provide enhancements.
e) PANIC A security flaw was detected. Does it take a cast of '00s to repair? No. Does it take a large cast of '00s to fix? No!
f) Now, lets do a postmortem and see what there is to see. Wow, old code that was commented out, left in the source just in case....
g) Cleanup completed, old unused code removed, its back to legacy status. How many people now required for support?
Second idea
Large software house, 1000 programmers. Team of 3 to 4 support product xyz. Major bug reported for xyz, Can company redeploy and retrain 25 programmers overnight to work to repair xyz? What about the ongoing projects.
Third Idea
Consider any product xyz (say Linux). Linux has it's detractors, but has a very very strong developer team for various subcomponents. If a particular subcomponent becomes legacy stable (no reported bugs in a 90 day window), how many individuals will remain to provide support for that component.
Conclusion
The article takes a jaundiced view of open source projects and support. Be it open source or commercial, the people rules are the same.
Leslie Satenstein Montreal Quebec Canada
Yes, I know that most programmers write internal software where it doesn't actually matter if it's "Free" or not, because it never leaves the company. (Does it even really have a license at all? I know I never have to agree to a license agreement to use software internal to my company.)
But for that software (like OS's and other back-end infrastructure) of a more universal nature it makes the most sense to NOT develop that internally. And writing that software requires a radically different skill set from database apps. How are programmers that write that software supposed to be paid? Answer (from this example, anyway): Not much. Shocker: There's very little money in support contracts for small-ish low-level libraries.
I have no problem whatsoever with the GPL. But I DO have a problem with RMS's insistence that NOT giving away your work to anybody who wants it free of charge is the only ethical means of programming. If you want to give your work away, that's great, and I'll support efforts to fight against anybody that tries to then charge for your efforts. But if I want to write some software and get somebody to pay for it, that should be my option too.
And he's actually quite horrible at predicting problems down the road... if he was better at it, the Hurd would have shipped or been canceled well over a decade ago.