Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Foundation's Census Project Ranks Open Source Software At Risk

Posted by timothy on from the deserves-macarthur-award dept.

jones_supa writes: The Core Infrastructure Initiative, a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what software projects need support now, instead of waiting for them to break. Census assembles metrics about open source projects found in Debian's package list and on openhub.net, and then scores them based on the amount of risk each presents. Risk scores are an aggregate of multiple factors: how many people are known to have contributed to the project in the last 12 months, how many CVEs have been filed for it, how widely used it is, and how much exposure it has to the network. According to the current iteration of the survey, the programs most in need of attention are not previously cited infrastructure projects, but common core Linux system utilities that have network access and little development activity around them.

47 comments

  1. Why is systemd missing from this list? by Anonymous Coward · · Score: 0

    Are you honestly telling me that behemoth is somehow impervious to exploits and otherwise an upstanding model of open source programming?

    I mean, I don't really care if it's there (sysvinit is) and has a risk factor of 0. I just find it odd that there's no mention of it at all.

    1. Re:Why is systemd missing from this list? by Anonymous Coward · · Score: 1

      The Census whitepaper details that and a lot of other stuff.

    2. Re:Why is systemd missing from this list? by houstonbofh · · Score: 3, Interesting

      Did you read how the derived it? Patches mean less risk (for some bizarre reason) and systemd patches hourly!

    3. Re:Why is systemd missing from this list? by Anonymous Coward · · Score: 1

      How is it bizarre than an active project which creates patches for found flaws is not seen at risk? The whole at-risk is about old software that no one looks at and only assumes is ok since it's old and trusted software.

    4. Re:Why is systemd missing from this list? by Smallpond · · Score: 1

      How is it bizarre than an active project which creates patches for found flaws is not seen at risk? The whole at-risk is about old software that no one looks at and only assumes is ok since it's old and trusted software.

      Last I read, 1 in 10 fixes creates a new bug. Most activity on new projects is new features, not the grunt work of fixing flaws. You can always get lots of people to write new code. It's hard to get people to do thorough testing.

    5. Re:Why is systemd missing from this list? by houstonbofh · · Score: 1

      Because a project patching bugs daily (that only a hand full of users are actually applying) is rated as more secure then a well tested and stable project that is not finding bugs and releasing patches...

    6. Re:Why is systemd missing from this list? by Anonymous Coward · · Score: 0

      Or that "stable" software is only thought of beeing well tested and scrutinized while beeing full of holes like say OpenSSL. If there are updates/patches, then atleast there is activity and a higher chance of code review than on a stale project where no one has looked at the code for years.

    7. Re:Why is systemd missing from this list? by Anonymous Coward · · Score: 0

      Now consider that that old stable code that hasn't had a patch in years had hundreds of thousands of patches leading up to the current code base where each one according to your own math had a 10% chance of introducing a new bug.

    8. Re:Why is systemd missing from this list? by Anonymous Coward · · Score: 1

      It "details" systemd? What the fuck are you talking about? I see one reference to systemd in that whitepaper, and it's in a section about rsyslog, so it really isn't even about systemd at all:

      Important today; as systemd becomes more used, its use may lessen but still important for merging data sources.

      "Its" in that context is rsyslog, not systemd!

      As far as I'm concerned, it didn't cover systemd at all. I don't know what the fuck you're talking about.

    9. Re:Why is systemd missing from this list? by Anonymous Coward · · Score: 0

      It details why the projects that are on wagon were chosen into it.

  2. subject by Anonymous Coward · · Score: 0

    That JavaScript interactive table thing is truly infuriating.

  3. Stop performing studies by Anonymous Coward · · Score: 0

    And do some actual work, like the rest of us.

    The projects are not being paid enough attention because arrogant academic types are too busy telling us this kind of nonsensical information than actually doing something about it or considering ones own complicit nature in the issue with a concept known as "work avoidance via academia".

    1. Re:Stop performing studies by NotInHere · · Score: 3, Interesting

      What they did is getting a basic overview of which projects need most attention. This is the first stage in improving the situation the most effective way. Now people/companies which have an interest in linux security as a whole (e.g. redhat) have a list of projects they can contribute to, even sorted by which to contribute first. I think the list is incredibly useful. Before heartbleed nobody did this kind of research, or it didn't get any attention.

    2. Re:Stop performing studies by Antique+Geekmeister · · Score: 2

      Except that most of them are obsolete, discarded in favor of more effective or more powerful tools, or never had another user. This includes most of CPAN for perl, most rubygems, most python modules, most maven packages, and perhaps 90% of github or sourceforge hosted projects. It's not possible to simply select an array of such tools and throw time or money at them. Some focus on ones that have a chance of working or a chance of usefulness is necessary.

      The result now is a "bazaar" of varying quality tools which live up to Theodore Sturgeon's famous conversation:

              From a new science fiction reader: "90% of science fiction is crap!"
              From Theodore Sturgeon: "90% of *everything* is crap!"

    3. Re:Stop performing studies by houstonbofh · · Score: 1

      What they did is getting a basic overview of which projects need most attention.

      No, they have a lit of project that rate in their arbitrary definition of "risk." Have a nice and stable project that is not on the feature of the week train? High risk, because there are not enough updates. How about a hidden development svn, with a public mirror that makes all contributions look like they come from one person? Oh, that is very high risk... By their metrics, "Hello World" is the riskiest program on the planet.

  4. Throwing money at OpenSSL by Anonymous Coward · · Score: 0

    Frankly, even though the grant money is probably not all that much, I think they need to send some money LibreSSL's way and see what project comes up with the more robust, secure stack. OpenSSL is hampered by a lot of crufty, bad, and possible backdoored code and will be for quite awhile. Why companies are throwing support behind it rather than LibreSSL is beyond me.

    1. Re:Throwing money at OpenSSL by Anonymous Coward · · Score: 1

      Mostly it will be that OpenSSL has a larger encryption library, that is available for general use, and thus more useful.

    2. Re:Throwing money at OpenSSL by Anonymous Coward · · Score: 0

      But how much of that code is useful today?

      http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

      When asked what he meant by OpenSSL containing "discarded leftovers," [Theo] de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

      There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."

      Obviously, Theo is going to push LibreSSL as a better alternative to OpenSSL since it is being developed by OpenBSD devs, but he's not wrong in his criticism of OpenSSL. There's lot's of cruft, plain bad code, and some questionable patches committed through a lax review process. Sometimes its just better to salvage the working stuff and jettison the rest, which is the approach LibreSSL takes.

    3. Re:Throwing money at OpenSSL by Anonymous Coward · · Score: 2, Interesting

      > Sometimes its just better to salvage the working stuff and jettison the rest, which is the approach LibreSSL takes.

      This kind of work pays for a great deal of my salary. My favorites are the long term architects who built up complex systems themselves that *no one else in the world uses*, but refuse to move to the safer and better supported modern tools. Examples written by software architect I know include:

                  RCCS - (an RCS based shared repository source control tool, replaced by CVS even before it was written)
                  Tuttle - (system config tool, replaced by cfengine and puppet even before it was written)
                  ypmake - (perl based replacement for GNU make, written by someone who loved perl and couldn't be bothered to learn shell)

      And oh, there's my favorite reasons for why such folks won't review their code with me.

                The code is the documentation. (This was popular over at the FSF in its early days.)
                The Wiki blew up last time I used it, so I refuse to use it.
                Schedule a meeting! (and then refuse to show up five meetings in a row)

      Cleaning up freeware and open source code is often thankless.

    4. Re:Throwing money at OpenSSL by houstonbofh · · Score: 2

      Why companies are throwing support behind it rather than LibreSSL is beyond me.

      Because it is what they use. Porting has a non-zero cost as well.

  5. Excellent idea by golodh · · Score: 3, Interesting
    And overdue.

    As FOSS projects become more widely used (privately and by companies), it's an excellent idea to actually collect some statistics that give an idea of how well and how actively a project is maintained.

    An attacker might e.g. get commit rights to several low-activity projects, insert malicious code, and wait for people to download updates and become easily exploitable.

    No FOSS end-user ever checks code: they rely om the maintainers to produce clean and honest code. Large and tech-savvy businesses tend to be a little more cautious, but in the end only a minority have the staff and the budget to actually vet the code. So unless they're going to expose themselves by redistributing the code, or they know they're going to use it in mission-critical ways, they won't look into it very deeply.

    This leaves users vulnerable. Because when a project is "asleep", it's a good candidate to slip in some backdoors.

    Given the number of FOSS projects, it can be quite hard for any organisation to get an idea of (let alone metrics on) how well maintained those projects are. Doing this and making the numbers public is a very useful service.

    Of course, as no doubt various FOSS enthusiasts will rush to point out, it's not a perfect indicator.

    Well ... it isn't and it doesn't have to be, but it's a very useful indicator all the same. And if you can easily look up a project's rating, that will sharply increase the likelihood that it will be used.

    1. Re:Excellent idea by houstonbofh · · Score: 2
      I agree that it is a very good idea. But the execution leaves a lot to be desired.

      An attacker might e.g. get commit rights to several low-activity projects, insert malicious code, and wait for people to download updates and become easily exploitable.

      Their rating system actually encourages this. If you have tight controls on commits, like perhaps 1 or two people who review code and actually make the commits, you are "at risk." So go ahead and give that NSA guy commit access...

    2. Re:Excellent idea by Anonymous Coward · · Score: 0

      The biggest problem I see is everyone wants to create a project (looks good on ye ole resume). Not as many want to be the 'maintenance guy'. That does not look as good on ye ol resume. Contributed to project XYZ could mean anything. Created project XYZ means a lot more.

  6. Yeah by Greyfox · · Score: 1
    I was just noticing the other day that a number of emacs lisp packages I use on a regular basis hadn't had any development work in 5-10 years. It's a bit discouraging to go looking for something and only find a goddamn sourceforge link for it. That's my main metric for the death of a project -- you can only find a sourceforge link.

    I guess it's understandable. Those guys wrote those things to scratch an itch and they worked well enough long enough. If a company where trying to maintain all the code that goes into a typical Linux install for me, it'd probably cost billions of dollars. It seems to me it would be fairly easy to subvert entire subsystems in a distribution by, for example, waiting for everyone to be happy with how it works and going off, then picking up maintenance or starting a replacement project because "No one works on that old one anymore!" Next thing you know, the system you used to love is bleeding features left and right and before you know it ends up being a dumbed-down version of Windows. Maybe that's just the open source lifecycle on a scale of decades...

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Yeah by houstonbofh · · Score: 2

      I was just noticing the other day that a number of emacs lisp packages I use on a regular basis hadn't had any development work in 5-10 years.

      If it works, why change it? The SmallWall project was immune to all of the SSL bugs in the last year because we use an old version that does not have these new and buggy features... Of course, this rating system would ding us for that... :)

    2. Re:Yeah by DarkOx · · Score: 1

      One of the problems the software world faces is when is something 'done'.

      Suppose and application was carefully designed and written 5 years ago and was free of problems like buffer overflows, logic errors, bad assumptions about input domain, bad assumptions about scale. If these things were true 5 years ago why would they be less true today? The questions than becomes does this application still meet the need today?

      Software isn't like a house or machine. It does not require maintenance unless a problem is discovered or a need changes, than you remodel. Software does not weather, nor does it have wearing surfaces.

      I saw tcpd on the list. How much attention should that get? I mean I used tcpd for the same things I have used tcpd for more than a decade. I don't really have any new uses for it. It supports ipv6. I am not sure what changes are need. Why should anyone spend time migrating it to git hub? What would that accomplish?

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  7. NTP needs the most love... by frank_adrian314159 · · Score: 1

    There's far too much software out there that depends on having clocks close to in sync.

    --
    That is all.
    1. Re:NTP needs the most love... by Antique+Geekmeister · · Score: 1

      The freeware ntpd at http://www.ntp.org/downloads.h... was extremely stable code. It's greatest problems have been with subtle configuration issues, not with the old daemon itself. Unfortunately, the service is now merged into systemd itself, which means that support for it from that large part of the Linux world will no longer apply to any other operating system.

      The main codeline at http://www.eecis.udel.edu/~ntp... shows that it is in active development, mostly to support new operating systems and hardware.

    2. Re:NTP needs the most love... by houstonbofh · · Score: 1

      NTP is actually quite solid. But pool.ntp.org could use some love. It can't work without servers...

    3. Re:NTP needs the most love... by gustygolf · · Score: 1

      Guys. Just use OpenNTPD.

      It's actively developed, and it doesn't have any of the bloat that is in the official ntpd. And it syncs clocks!

      Brought to you by the OpenBSD project. Known for writing secure software.

      --
      "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
    4. Re:NTP needs the most love... by metamatic · · Score: 1

      Or chrony, which I just switched all my machines to.

      --
      GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  8. tcpd top of the list - what a shock! by gpm · · Score: 1

    No surprise about tcpd (aka Wietse Venema's TCP wrapper utilities) which has not been updated since its last release in 1997.

    It should just be removed from all Linux distributions just as Arch did in 2011: https://www.archlinux.org/news...

    Use something, anything else rather than this practically stone age software.

    1. Re:tcpd top of the list - what a shock! by Anonymous Coward · · Score: 0

      In general distros should sweep their repositories more rigorously. There's a lot of old junk that does not work properly or is not of practical use anymore.

    2. Re:tcpd top of the list - what a shock! by houstonbofh · · Score: 1

      "I know you have this tool that works perfectly well for what you are doing, but you should remove it now, and use my new and bloated tool instead..."

      Seems to be the current "best practice" and I hate it.

    3. Re:tcpd top of the list - what a shock! by Anonymous Coward · · Score: 0

      No surprise about tcpd (aka Wietse Venema's TCP wrapper utilities) which has not been updated since its last release in 1997.

      It should just be removed from all Linux distributions just as Arch did in 2011: https://www.archlinux.org/news...

      Use something, anything else rather than this practically stone age software.

      I hope you are being sarcastic, because that tool just works and still has its use. Even if it is rare that it is needed and its last update was pretty long ago. It is small and feature complete for now. There will be an update if someone finds a bug in the source. But hey. let's throw all small and stable programs out or at least add some new feature from time to time.

    4. Re:tcpd top of the list - what a shock! by Anonymous Coward · · Score: 0

      Why not just role it into systemd?

    5. Re:tcpd top of the list - what a shock! by Anonymous Coward · · Score: 0

      Check out NetBSD then.

  9. #1 by slashmydots · · Score: 0, Troll

    1. The .NET framework

  10. Systemd will replace them by Anonymous Coward · · Score: 0

    Anyway, all the core programs will be eventually replaced by a systemd component.
    So why bother maintaining the good old software?

  11. Wide usage may not always be the best metric by Anonymous Coward · · Score: 0

    I don't completely agree that project needs to be widely used to pose a high risk. There are certain applications which are not installed on many machines, but which security is extremely critical for the internet in whole. Two very good examples would be Quagga & BIRD. You can find one of them from very large number of core network deployments. They may not always be the ones that pass actual traffic, but they might be the ones that receive routing tables and pass them to other routers after modifying them as they allow you to modify them to fit your needs better.

    1. Re:Wide usage may not always be the best metric by Wycliffe · · Score: 1

      I don't completely agree that project needs to be widely used to pose a high risk. There are certain applications which are not installed on many machines, but which security is extremely critical for the internet in whole. Two very good examples would be Quagga & BIRD. You can find one of them from very large number of core network deployments. They may not always be the ones that pass actual traffic, but they might be the ones that receive routing tables and pass them to other routers after modifying them as they allow you to modify them to fit your needs better.

      It depends on how you define "wide usage". If wide usage is defined as total number of servers then even something like DNS might not make the cut.
      On the other hand if it's defined as needed infrastructure where it either dominates its market or there is no other reasonable alternative then certain
      programs only used for backbones or ISPs would definitely make the cut.

  12. systemd probably ought to be retired by Anonymous Coward · · Score: 0

    Just for its lameness.

  13. That's It.... by JustAnotherOldGuy · · Score: 1

    I am officially starting the Church Of SystemD, which will bring enlightenment to the masses.

    Services praising The Holy SystemD will be performed at gunpoint, so stop making trouble with all those facts and shit and just get in line.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  14. at risk or mature? by steak · · Score: 1

    Are they really at risk or just mature? after 20-30 years I don't see how tools like whois and bzip2 could really need that much development.

    --
    lose != loose
    1. Re:at risk or mature? by Anonymous Coward · · Score: 0

      Its ui needs to be converted to follow contemporary design aesthetics. All of options have to be removed as confusing clutter and its name changed to a random nondescript symbol.

  15. Adopt a Linux System Utility by gpoul · · Score: 1

    Why don't we try the open source route and have people adopt these at-risk core system utilities? Won't there be any interest if those are up for adoption? If we get 3-4 volunteers per tool we can for sure do something about this and get more people to contribute to those tools.

    I would definitely be up for something like that.