Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Free Can Make You Bleed: the Underresourced Open Source

timothy posted about 7 months ago | from the superheroes-of-the-real-world dept.

Security 175

jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."

Sorry! There are no comments related to the filter you selected.

It's not underresourced (1, Insightful)

Anonymous Coward | about 7 months ago | (#46907183)

It is over fragmented

Re:It's not underresourced (4, Insightful)

paskie (539112) | about 7 months ago | (#46907341)

In some cases, fragmentation is bad. In case of critical infrastructure, fragmentation is great!

Having multiple interoperating implementations has been always one of the basic requirements for internet standards, it ensures future growth and leaving out the worst warts, dependency on undocumented behavior etc. But most importantly, if a bug is found in one of the implementations, it cannot take out the complete internet infrastructure because large parts of it are running a different implementation. Even if a bug is found on a protocol level, some implementations may not implement that feature or implement it slightly differently and aren't involved. Fragmentation is essential to the robustness of internet.

Honor only limit (0, Interesting)

Anonymous Coward | about 7 months ago | (#46907185)

If a bad actor, such as a government or an illegal organization wanted to inject a zero day flaw, the current system makes it awfully cheap. Heck open-source developers aren't even required to say a loyalty oath before submitting their changeset.

Re:Honor only limit (1)

Anonymous Coward | about 7 months ago | (#46907221)

....the 'many eyes' phenomenon,....

And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.

This "you can't get anything bad through because the source is freely available" has proven to be horseshit.

Re:Honor only limit (5, Insightful)

Anonymous Coward | about 7 months ago | (#46907353)

The problem is that with "many eyes" all the eyes are assuming some other eyes are looking.

Re:Honor only limit (4, Insightful)

LinuxIsGarbage (1658307) | about 7 months ago | (#46907437)

....the 'many eyes' phenomenon,....

And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.

This "you can't get anything bad through because the source is freely available" has proven to be horseshit.

Some people are under the assumption if you release something open source, you will get hundreds of volunteers lining up to work on it. And when they do, they will work on EVERYTHING. Truth is unless your project is "sexy" it's hard to get developers. Look at Linux kernel, a lot of the development is done by paid developers (not a lot sexy about the kernel). Look at where projects spend their focus: Firefox reinventing the UI again, Compiz Wobbly windows, usually any application that can be skinned, has 400 skins for every useful plugin. Meanwhile things like performance, or user documentation gets neglected.

Don't get me wrong, I think there's benefits to Open Soruce development models, I just don't think open sourcing something means hundreds of people are looking at it.

Re:Honor only limit (5, Insightful)

Barsteward (969998) | about 7 months ago | (#46907475)

But you do get a "lot less bad though". Compare open source to closed source and compare the problems and the number of those problems. Close source security problems lead the way by a long margin.

No system is perfect but open source is closer to that ideal than closed source.

Re:Honor only limit (1)

AHuxley (892839) | about 7 months ago | (#46907339)

Cheap was always the way in for governments after beyond the 1950's. If any private or neutral gov was going to develop, market and sell complex cryptography they would find international standards and low prices blocking them. The option was to give up or sell out and go with weakened "international standards".
Free counters a diversity of unique or bespoke per seat, per user count crpto entrepreneurship over many countries.
No matter if it open source or closed source; as long as it can catch plain text, it is a good trapdoor.

It is not underresourced (-1)

Anonymous Coward | about 7 months ago | (#46907189)

It is overfragmented.
Too many similar projects!

Re:It is not underresourced (-1)

Anonymous Coward | about 7 months ago | (#46907337)

Same thing. If it's overfragmented, then each fragment is underresourced.

PS, I'm pretty sure "underresourced" is not even a word.

Guess what would happen if Microsoft divided its existing Windows development team into 75 different distinct groups and tasked each group with writing the codebase for Windows 9, with the intent of selecting the best, most secure version of the group and releasing it to production. Natural selection would ensure an almost flawless product, right? Wrong. You'd have 75 crappy, unfinished, unsecure, feature-incomplete pieces of crap. Basically, you'd have Linux.

Lol whut? (5, Insightful)

Anonymous Coward | about 7 months ago | (#46907191)

If your business relies "critically" in its functions on such a piece of software, how would you as a business owner ensure the continuity of the "critical" function?

A. Hire someone to maintain and work on that software.
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL (though better packaged and you get to chat with the smooth sales rep)

What do you do?

Re:Lol whut? (1)

westlake (615356) | about 7 months ago | (#46907487)

A. Hire someone to maintain and work on that software.
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL

$50K a year can be a bargain compared to development and maintenance in-house. A $50K donation to a project like OpenSSL will underwrite maybe six months work by a full-time developer.

Re:Lol whut? (1)

NapalmV (1934294) | about 7 months ago | (#46907661)

$50K a year can be a bargain compared to development and maintenance in-house.

Don't forget that what is "outsourced" for you is "in-house" for the outsourcer. If you can't beat him on price and assuming similar labor costs, it means you have poor/too much management overhead.

Re:Lol whut? (1)

Immerman (2627577) | about 7 months ago | (#46907917)

Not necessarily - it could also mean that your business doesn't do software development. A business already focused specifically on developing the software in question is going to be able to translate that $50k into much greater improvements than the car rental agency that is simply relying on that software as part of their infrastructure.

Re:Lol whut? (2)

Gunboat_Diplomat (3390511) | about 7 months ago | (#46907919)

$50K a year can be a bargain compared to development and maintenance in-house.

Don't forget that what is "outsourced" for you is "in-house" for the outsourcer. If you can't beat him on price and assuming similar labor costs, it means you have poor/too much management overhead.

Or, the commercial $50K a year solution has the advantage of scale by spreading its cost on multiple customers. If the commercial provider has 1000 customers paying $50K a year, the economy of that is hard to beat by being lean on management overhead.

Re:Lol whut? (1)

TheRaven64 (641858) | about 7 months ago | (#46908011)

The problem with the $50K commercial solution is that they want you to pay $50K next year too. If their software does what you want already, then that's a hard sell, so typically they persuade you by adding new features. For something like OpenSSL, new features mean new ways of introducing vulnerabilities, so are often the last thing you want.

Re:Lol whut? (3, Insightful)

JaredOfEuropa (526365) | about 7 months ago | (#46907899)

A. In a lot of cases this is a managable risk. You don't even need a full time employee; if an issue occurs (and if you manage it right, you'll often know about it ahead of time) you just hire a troubleshooter contractor for a few weeks to fix things. We've done this a few times with both FOSS software, and Mickey Mouse in-house software (think Access / VBA stuff), and in all cases the fix was faster and cheaper to apply than with comparable proprietary software.

And I'll let you in on a little secret: some teams writing proprietary software are also understaffed. The difference is that you won't know that they cut corners until things go bad. On the plus side: you get to blame the vendor instead of being blamed for your reckless choice of FOSS.

Look from the K.I.S.S. side (3, Interesting)

eexaa (1252378) | about 7 months ago | (#46907215)

From a bit different perspective (largely unix-practical) -- when not having enough resources, you are forced to keep stuff simple. That's usually good, isn't it?

Anyway, I always wondered why is OpenSSL such a bloated pile of code. It does one god damn gazillion things tightly packed. Now, TLS implementation itself is pretty simple, Key management tools are pretty simple, PKCS verification tools are pretty simple, mathematics behind that is pretty simple, commandline tools for quickusing the maths are simple, relationship between those entities ("APIs") are well-defined and usually clear. Who stuffed all of it into one project?!

PS. Bonus paranoia&FUD I saw today: http://pastebin.com/gjkivAf3 [pastebin.com]

Re:Look from the K.I.S.S. side (0)

Anonymous Coward | about 7 months ago | (#46907395)

I think the real takeaway from Heartbleed is just precisely that. K.I.S.S. reigns supreme and OpenSSH forgot all about any notions of "simple"- which is why they forked it with LibreSSL.

Slant: look who is writing the article (5, Informative)

Jody Bruchon (3404363) | about 7 months ago | (#46907225)

The author works for the actual SSH company that sells commercial SSH software. Though the points may largely be valid, a lot of the slant in the article is meant to tell people "this is what happens when you don't pay for software, so buy our commercial stuff today. Because it can't POSSIBLY suffer from the same kind of mistake, right? Right guys? ...guys?"

SSH programmers make mistakes. The article writer has an agenda and it's quite obvious. There is no reason to assume SSH is of any better quality than OpenSSH. He even shoots his implication in the foot: "are you going to review two year old patches for errors? No, of course not." This is no different in paid software. If it gets missed during any sort of review, the hole remains. See the recent IE 0-day hole (which has only been around for over a decade) for proof that this is true.

Re:Slant: look who is writing the article (1)

drinkypoo (153816) | about 7 months ago | (#46907241)

While you have a point, you could also take away from the article that OpenSSL needs money.

Re:Slant: look who is writing the article (1)

Jody Bruchon (3404363) | about 7 months ago | (#46907275)

Oh, OpenSSL desperately needs money, as well as programmers. The problem is that OpenSSL is not "fun" to work on and is something that largely sits in the background. Everyone knows what Firefox is because it's a big fancy graphical program that does nice things, but OpenSSL and GnuTLS and NSS are kind of obscure because they're just packages that add something to other programs. Libraries often suffer from lack of programmers and funding. It would probably help if there weren't so damned many SSL/TLS stacks out there though.

Ironically, special libraries like CyaSSL which more closely serve the embedded niche tend to draw far more interest than the extremely ubiquitous OpenSSL, probably because OpenSSL is absolutely huge by comparison and not necessarily suitable for the massive embedded systems market.

Re:Slant: look who is writing the article (0)

Anonymous Coward | about 7 months ago | (#46907641)

OpenSSL desperately needs money, as well as programmers. The problem is that OpenSSL is not "fun" to work on

On the one hand this is an issue with a lot of open source projects where bugs are sidelined by the next shiny feature. On the other hand the shit storm in the aftermath of heartbleed made the OpenSSL code base look like a maintenance nightmare that I wouldn't touch with a barge pole. Just some things that come to mind: missing or badly outdated documentation, macro hell (no chance in hell to find a function implementation by name - ## is an obfuscaters best friend), standard C style code (3 letter function names, 1 letter variable names), badly reinventing the wheel (the C standard library is not guaranteed to be fast enough or bugfree, lets rewrite it with subtle differences) and more subjectively a weird indentation style.

It will be interesting to see what will be left when the LibreSSL project is finished with the cleanup.

Re:Slant: look who is writing the article (1)

stenvar (2789879) | about 7 months ago | (#46907775)

Oh, OpenSSL desperately needs money, as well as programmers

If they need money and programmers, why are they wasting time and effort implementing OpenSSL extensions people don't actually need? Why are they wasting their time writing their own memory manager? Why are they writing in plain C?

Re:Slant: look who is writing the article (2, Insightful)

Anonymous Coward | about 7 months ago | (#46907923)

why are they wasting time and effort implementing OpenSSL extensions people don't actually need?

You say that like there was some kind of central management decision to implement heartbeat instead of something else. There wasn't. There was just some guy who sacrificed his personal time to implement a feature that may be useful to some (maybe not to you). What have you done for OpenSSL so far?

Re:Slant: look who is writing the article (2, Interesting)

Gaygirlie (1657131) | about 7 months ago | (#46907305)

While you have a point, you could also take away from the article that OpenSSL needs money.

Good thing, then, that that's being actively taken care of. Ars Technica just posted an article recently that they're getting a lot more donations now and some large companies pledged to donate $50,000 yearly for 3 or 5 years. That should definitely help for a while, though I hope that after those 3 or 5 years have passed things don't go back to the way they were.

Re:Slant: look who is writing the article (1)

J. J. Ramsey (658) | about 7 months ago | (#46907285)

There's also the matter that OpenSSL and OpenSSH are different animals. OpenSSH is audited, much as OpenBSD is itself.

Re:Slant: look who is writing the article (1, Insightful)

Jody Bruchon (3404363) | about 7 months ago | (#46907319)

OpenSSH relies on OpenSSL, so OpenSSH is only partially audited if OpenSSL isn't also being examined.

Re:Slant: look who is writing the article (0)

Anonymous Coward | about 7 months ago | (#46907453)

Indeed. Thing is, OpenSSL is getting audited now- and was found seriously wanting. Currently no part of the crapball that is OpenSSL has issues (that we know of) with OpenSSH's usage thereof (Heartbleed was in the TLS heartbeat function, which isn't used in OpenSSH)- but the OpenBSD bunch aren't taking chances; they're winnowing out the chaff and discarding idiot notions of things like supporting Visual C++ 5.0 (Yes, they're worrying about that support...) and broken things in Windows, VMS (Yes, there's fixes for something very busted in VMS...), etc.

I can't say that I blame them for doing the fork. It's long been overdue and the main cause of the problem isn't and wasn't lack of funds, but rather a lack of sound engineering practices being applied to the project. If it means ditching support for honestly deprecated things out of Microsoft's and other vendor's products (Basically all of their sins), to simplify and make the code vastly more robust- they should've chose the latter, not the former. In all cases, they chose the former- which is where the problem honestly comes from.

Re:Slant: look who is writing the article (1)

ChunderDownunder (709234) | about 7 months ago | (#46907753)

Not anymore [slashdot.org]

Re:Slant: look who is writing the article (3, Interesting)

MightyYar (622222) | about 7 months ago | (#46907345)

Despite the slant, I actually came away impressed at the demonstration of efficiency: 2 developers are doing the work of perhaps thousands if the tools weren't open source.

Re:Slant: look who is writing the article (1)

Jody Bruchon (3404363) | about 7 months ago | (#46907369)

That's something I came away with as well. Other than this programming error, "two full time developers" have maintained OpenSSL for years. Makes me wonder how many programmers SSH.com employs and how they perform relative to the OpenSSH "team."

Re:Slant: look who is writing the article (3, Funny)

NapalmV (1934294) | about 7 months ago | (#46907695)

Let's reformulate: 2 developers are doing the work of perhaps thousands of managers, HR, legal, PM, accounting etc. employing 2 developers.

Re:Slant: look who is writing the article (0)

Anonymous Coward | about 7 months ago | (#46907347)

the points are not valid. closed source has exactly the same issue.
the problem with closed source is you will never know when this happens.

oh, and what if they go out of business?

Re:Slant: look who is writing the article (0)

Anonymous Coward | about 7 months ago | (#46907457)

The content on slashdot doesn't matter. What matters is that the mother company earns money.

Re:Slant: look who is writing the article (1)

Jody Bruchon (3404363) | about 7 months ago | (#46907735)

Wait. There's CONTENT on SLASHDOT?! D:

Cheap ass gits. (4, Insightful)

serviscope_minor (664417) | about 7 months ago | (#46907227)

If your business is depending *critically* on a piece of free software then don't be such a cheapass git. Hire a developer or allocate some of your budget to fund the project.

Problem solved.

Re:Cheap ass gits. (2)

Jody Bruchon (3404363) | about 7 months ago | (#46907325)

As a programmer who uses git daily, your use of the word "git" in this sentence has proven amusing. They should add a "git donate" command...

Re: Cheap ass gits. (0)

Anonymous Coward | about 7 months ago | (#46907373)

Yeah, don't be a cheapass with random revision numbers and inexplicably complex distribution systems.

Re:Cheap ass gits. (3, Informative)

TapeCutter (624760) | about 7 months ago | (#46907925)

A moron in the UK is commonly referred to as a "useless git". A "git" is an old ironworkers term, it's the (useless) bit of metal that solidifies in the pour hole of a cast. I think "git" software derives it's name from the way some Americans pronounce "get", but I have no idea if that's true..

Re:Cheap ass gits. (1)

Immerman (2627577) | about 7 months ago | (#46907957)

You've got to wonder what Torvalds was thinking when he used an insult as the name for his project. Right up there with GIMP for marketability.

Re:Cheap ass gits. (1)

AHuxley (892839) | about 7 months ago | (#46907365)

Must have been an interesting meeting: just drop in the free code like the rest of our wealthy, skilled competitors do.

Re:Cheap ass gits. (0)

Anonymous Coward | about 7 months ago | (#46907839)

So free software is not really free if you need a developer to maintain it. Once you go down that road you need to compare "free" software with the alternatives.

Re:Cheap ass gits. (2, Informative)

Jody Bruchon (3404363) | about 7 months ago | (#46908163)

Free as in freedom, not as in beer. This is the biggest problem with the use of the word "free" to explain it, which was one reason "open source" was coined. "Free" implies "no cost" to most people.

Re:Cheap ass gits. (0)

Anonymous Coward | about 7 months ago | (#46908093)

I don't fund c language projects...

Re:Cheap ass gits. (1)

Jody Bruchon (3404363) | about 7 months ago | (#46908155)

That's a very stupid criterion for making a funding choice. C language projects make the vast majority of other language projects exist. Every mainstream desktop operating system that currently exists is written in C, even Windows. Short of raw assembly language, there is no faster language in such wide usage that exists, and for something like encryption which is a notoriously CPU-intensive process, every ounce of power for running the computations is critical. Why, for example, do you think the reference implementation of Python [wikipedia.org] is written in C?

OSF vs FSF (0)

Alomex (148003) | about 7 months ago | (#46907237)

Open source software makes sense. Free (as in gratis) software makes no sense and the proposition that people shouldn't be paid for the software they develop is the stupidest thing I've ever heard. No other profession gives away its services like that (where can lawyer to handle my divorce for free?).

Often corporations are the main beneficiaries of your free labor when they should have paid for your services. A much preferable alternative is software released for free for personal use, but with a modest cost per seat for commercial use.

And yes, when I was young I contributed to several Open Source projects, before the term had even been coined.

Re:OSF vs FSF (0)

Anonymous Coward | about 7 months ago | (#46907303)

Open source software makes sense. Free (as in gratis) software makes no sense and the proposition that people shouldn't be paid for the software they develop is the stupidest thing I've ever heard. No other profession gives away its services like that (where can lawyer to handle my divorce for free?).

Why do you think every open source project on the planet is constantly begging for money?

The problem is once you make something open source you also automatically make it free (as in zero selling price). How can you charge me money for something if I can get the source and build my own copy for free?. Open source is great in theory, but in the real world we now have many years of proof that open source destroys the ability to get paid for your work.

Re:OSF vs FSF (0)

Anonymous Coward | about 7 months ago | (#46907489)

Has less to do with that and more to do with a lack of sound engineering principles in this case (and pretty much every other one of them.)

You don't do things like:
      - Keep support for no longer supported by the vendor compiler versions at the expense of simplicity.
      - Have support for broken OSes (VMS, anyone?).
      - Worry about two dozen deprecared OSes and toolchains.

They did all of those things in OpenSSL and they shouldn't have. In fact, FSF probably needs to prune their crap a little bit due to it worrying about all of the above so slavishly- before they have a mishap of this nature. It should be noted that Linux got rid of a handful of deprecated machine types over the last handful of years. There's some machine types still lurking around that should be deprecated but haven't yet- so there's some of that still around- but as soon as it gets pretty much the same way as i386 support got, it should (and very probably will) be carved out of the OS there too.

Re:OSF vs FSF (1)

Jody Bruchon (3404363) | about 7 months ago | (#46907751)

One of which was the Intel 80386 processor, and which apparently has been a big maintenance thorn in everyone's side for a long time. While there are still plenty of 486 computers floating about out there, 386 and below machines seem to have long ago ended up in the trash.

Dropped Arch's (1)

Anonymous Coward | about 7 months ago | (#46907939)

Except in the imbedded markets where there are still 386's. We just had one bank buy out branches in our area and guess what, the ATM they replaced had still used a 386 as the core gui driver. They endedup totaly replacing it because they could not find anyone who knew how to change the codes between the gui section and the data line (that they changed from POTS to ISDN but that is another 'we are 20 years behind' deal). SSL is wrote in C to keep being used by old garbage like this becuse it costs to much to upgrade them and many people do not even know they are still there.

AC because I forgot what my /. account was 10 years ago.

Re:Dropped Arch's (0)

Anonymous Coward | about 7 months ago | (#46908255)

AC because I forgot what my /. account was 10 years ago.

You can always create another one.

Re:OSF vs FSF (1)

NapalmV (1934294) | about 7 months ago | (#46907531)

The problem is once you make something open source you also automatically make it free (as in zero selling price). How can you charge me money for something if I can get the source and build my own copy for free?

Don't confuse licensing terms with the availability of the source.

Re:OSF vs FSF (1)

Anonymous Coward | about 7 months ago | (#46907829)

Why do you think every open source project on the planet is constantly begging for money?

The problem is once you make something open source you also automatically make it free (as in zero selling price). How can you charge me money for something if I can get the source and build my own copy for free?. Open source is great in theory, but in the real world we now have many years of proof that open source destroys the ability to get paid for your work.

That's why Redhat, who opensources all their code & automatically makes it all free, can't make money. Except they have over $1 billion in revenue.

CentOS and Scientific Linux bundle all of RedHat's stuff, compile it, and make it easy for anyone to download & install and run. It's hard to tell the difference between RHEL and CentOS. If I need to spin up 100 VMs, I can grab CentOS, test it all out, then apply that to RHEL VMs that I've purchased licenses for so I can get support.

In a way, it's like Technet (was). I pay a small fee, get many copies for testing, non production, then by the real thing for deployment. Except with RHEL, I can choose to deploy the CentOS and forgo support. I'm sure there are some that even deploy the technet versions of windows in production.

VMware also gives away ESXi w/o some of the features. It's good enough to run a home lab.

How can any company make a living in these scenarios?

Re:OSF vs FSF (1)

Alomex (148003) | about 7 months ago | (#46907379)

..and it quickly gets modded down, since it breaks the echo chamber here.

Seriously people, think about it, giving your services away for free makes no sense. No one else does and, contrary to say, volunteer doctors who help poor people (doctors without borders) free software benefits mostly corporations.

Re:OSF vs FSF (0)

Anonymous Coward | about 7 months ago | (#46907441)

I give away some of the stuff I write for free. I do it because I didn't write it to sell it and other people can probably benefit from it, as I have benefited greatly from the software other people have generously given away at no cost for many years. OSS as a business model doesn't work if all you're selling is the code, and no one is really arguing about that. Of course, if you write a sufficiently complicated or unique piece of software, people who need it might be willing to pay you to help them get the full potential out of it, but that's risking actually doing what a business does or something.

I have run into so many products from "professional companies" with closed-source software that looked and operated like garbage that I can't count, the most recent of which was this awful thing [lamotte.com] with a "polished" main program that runs the actual peripheral control program beside it that looks like someone in high school coded it in Visual Basic 6 as a learning exercise and the firmware in the unit randomly refuses to actually operate. I ran into issues with the software that I could probably have easily fixed if I had access to the source code, specifically the fact that it takes away the "run test" button forever even if there is a problem with the centrifuge that makes the test fail. You don't want to know how long the workaround for the glitchy hardware actually takes.

Re:OSF vs FSF (1)

rasmusbr (2186518) | about 7 months ago | (#46907485)

..and it quickly gets modded down, since it breaks the echo chamber here.

Seriously people, think about it, giving your services away for free makes no sense. No one else does and, contrary to say, volunteer doctors who help poor people (doctors without borders) free software benefits mostly corporations.

The thing is that there is an argument that it is fundamentally unethical to not give away your source code. If you want to argue with that it's not enough to just say "but it's nice to not give away the code". Lot's of unethical things can be said to be nice. That does not make them ethical. Saying that you can't make money if you give away the code does not actually do anything to address the argument that the free software fundamentalists pose, so they're not likely to be swayed by that sort of reasoning.

If you want to argue with the free software fundamentalists you either have to say that they're wrong and that there is no ethical imperative to give away code, or say that there is a conflicting ethical imperative, for example you might argue along the line that it is unethical to do work for someone else without the expectation of market-rate income for that work. After all, what would happen to the economy if it became the norm that people should deliver services without getting money in exchange? The whole monetary system would grind to a halt. Of course, some might say that that would be a nice consequence.

shared pay/tips (0)

Anonymous Coward | about 7 months ago | (#46907969)

There are people who would love to have everyone paid evenly but work to the best of their ability. I had a 'job' at such a place one time. I ran from there very fast. Sadly waiters still endure this type of crap (shared tips)

Re:OSF vs FSF (0)

Anonymous Coward | about 7 months ago | (#46908145)

We call that EBT...

Re:OSF vs FSF (1)

petermgreen (876956) | about 7 months ago | (#46907629)

Open source software makes sense. Free (as in gratis) software makes no sense

The problem is it's very difficult to effectively have the former without the latter. People are very relucant to make significant source code contributions when their is an asymetry in the relationship (you see this even in projects with contributor agreements) and setting up a system to pay every contributor fairly would add massive beuracracy.

BS (4, Insightful)

NapalmV (1934294) | about 7 months ago | (#46907271)

How many programmers does Microsoft have? Are their products bug free as a result?

What about recent MSIE security problems? (2)

walterbyrd (182728) | about 7 months ago | (#46907283)

This article is nothing but pure propaganda.

Free software may not be perfect, but, from a security standpoint, it easily beats microsoft, and most other proprietary software.

Re:What about recent MSIE security problems? (0)

Anonymous Coward | about 7 months ago | (#46907315)

Microsoft's never let anybody dump a bunch of memory from my server. They've never done http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 either.

Open sourcing software can be a much better model than proprietary - not if it's not resourced though.

Re:What about recent MSIE security problems? (1)

mwvdlee (775178) | about 7 months ago | (#46907435)

Ignorance is bliss.

http://cve.mitre.org/cgi-bin/c... [mitre.org]

More specifically related to SSL:
http://cve.mitre.org/cgi-bin/c... [mitre.org]
http://cve.mitre.org/cgi-bin/c... [mitre.org]

Re:What about recent MSIE security problems? (-1)

Anonymous Coward | about 7 months ago | (#46908373)

More specifically related to SSL:
http://cve.mitre.org/cgi-bin/c... [mitre.org]
http://cve.mitre.org/cgi-bin/c... [mitre.org]

So if you really dig deep, you can find two SSL vulnerabilities from IIS which date back to over 10 years? That sounds like IIS is doing just fine in that department.

Re:What about recent MSIE security problems? (0)

Anonymous Coward | about 7 months ago | (#46907473)

Microsoft's never let anybody dump a bunch of memory from my server.

While this may be true, consider Code Red (2001 worm). Setting aside for a moment that it attacked an exploit Microsoft had patched a month prior, the mere existence of an IIS overflow bug, allowing the installing of a worm, meant the attacker could have gained access not only to all the input and output on the server, but also to all the data sitting on the server. Patches servers were safe, but that's assuming the flaw was not being exploited before it was patched.

It's of course not just Microsoft. Back on the open source side, my own favorite web server software, Nginx, had patches for buffer overflows [nginx.org] . You're going to find this in both proprietary and open source software until static code analysis tools get good enough to catch all the buffer overflows, and programmers are using these tools as part of their standard programming process.

Heartbleed's bad, but by no means is it necessarily worse that what can be done with a buffer overflow, except that Heartbleed leaves no commonly visible trail (unusual files on the hard drive, or process running in memory).

Re:What about recent MSIE security problems? (0)

Anonymous Coward | about 7 months ago | (#46907605)

This has absofuckinglutely NOTHING to do with lack of resources and everything to do with BAD engineering practices being applied.

Re:What about recent MSIE security problems? (0)

Anonymous Coward | about 7 months ago | (#46908405)

It's a little odd that the go-to company to contrast with open source is Microsoft, given that they just open-sourced all of .NET, and a number of their other software projects (e.g., Entity Framework, F#, etc.) have been open source for some time. In fact, many of the big tech players have open-sourced big projects, some from the very beginning.

Westerners cause trouble (-1)

Anonymous Coward | about 7 months ago | (#46907289)

More westerners with high salaries: less of them to do a specific task. More mistakes, more lies, less communication, less throughput. Less peer reviews, more bugs.

Re:Westerners cause trouble (0)

Anonymous Coward | about 7 months ago | (#46907389)

sort of a racist post, don't you think?

Re:Westerners cause trouble (0)

Anonymous Coward | about 7 months ago | (#46907549)

He just observes westeners. He does not attack or insult them in any way. It's not a racist post.

There shouldn't be 500000 lines of code (0)

Anonymous Coward | about 7 months ago | (#46907333)

Do you really think that the required functionality of OpenSSL should be implemented in a way that requires more than two full time developers? A code base of that size for a piece of software with a very concise mission hints at an obese specification or feature creep in the implementation. In particular, OpenSSL should probably be split into the parts which are necessary for an actual SSL/TLS implementation and the parts which are used for creating CSRs and signing them, conversion of data formats and other aspects which are not used online in a TLS implementation. Remember the Unix philosophy: Each program should do one thing and do it right.

Not this propoganda again (0)

Anonymous Coward | about 7 months ago | (#46907335)

So sad to see /. is in M$ back pocket so deeply. Disappointed.

Re: Not this propoganda again (0)

Anonymous Coward | about 7 months ago | (#46907383)

Crawl back in your hole and cover your head. God forbid we discuss how to fix some legitimate shortcomings in an otherwise marvelous system. Blaming a boogie man for your troubles don't make them go away.

Re: Not this propoganda again (1)

walterbyrd (182728) | about 7 months ago | (#46907579)

> discuss how to fix some legitimate shortcomings

Is that a joke? This article is not about fixing problems, it is only about smearing F/OSS.

The article is entirely one-sided. It is meant to make F/OSS seem insecure, while completely ignoring the fact that proprietary software is just as bad, if not worse.

Re: Not this propoganda again (0)

Anonymous Coward | about 7 months ago | (#46908169)

The biggest problem with c is c...
the biggest problem with openSSL is OpenSSL...

Re:Not this propoganda again (0)

Anonymous Coward | about 7 months ago | (#46907773)

So sad to see /. is in M$ back pocket so deeply. Disappointed.

Do you really want this to be some closed valley where everyone has been brainwashed to see open source as the only truth and are strictly forbidden to criticize it?

Money no guarantee (3, Informative)

LordLucless (582312) | about 7 months ago | (#46907359)

Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced.

Of course, paying money for closed source software is no guarantee that it's going to be adequately resourced either. Compare the two most recent, high-profile flaws, both very similar, in that they deal with memory allocation issues:
- Heartbleed on SSL has a team of 2, was extant for 2 years, was patched in 6 days, and the patch was available to anyone who used the software
- CVE-2014-1776 on Internet Explorer. Don't know how many people the team, was extant for 13 years, was patched in 6 days, and the patch was originally going to be denied to users who hadn't upgraded recently.

This does not seem to be an issue with closed vs open source development models - both have had major vulnerabilities extand for far too long, and both can turn around fairly rapid patches when needed. Doling out cash to Microsoft is no more effective at securing your applications than using free open source products.

Re:Money no guarantee (0)

Anonymous Coward | about 7 months ago | (#46907553)

As always, the clueless come out of the woodwork- and no amount of explaining will shift them from their idiocy.

Unsound engineering practices were the culprit here. Failing to abide by one the most important principles, K.I.S.S. specifcically, is a key part of all of this.

You don't try to compensate for a bunch of deprecated/unused old OSes, compilers, etc. that have serious problems in use like this without eventually having a disaster like this. They've got workarounds for something busted in VMS and in several ancient versions of Visual C++ in the OpenSSL codebase- just for starters.

While I applaud the notion that you need to support a broad range of OSes, etc. it should **NEVER** be at the expense of simplicity of codebase, etc. FSF's got one of these disasters coming to them if they don't start wising up. Autotools is designed specifically to compensate for this sort of crap- if you're doing that...you're doing the **WRONG** thing at this point. Things have moved on and while it's "cool" to support an old VAX machine or the like- "cool" isn't always sound engineering practices and those should be considered first and foremost when doing anything in this space. That's not to say cool shouldn't be sought. Hardly, so. But it should take a backseat to something that can be maintained properly. That's not what was done with OpenSSL, and I'd hope that it was a wake-up call to all the FOSS devs out there.

Time for a non-commercial copyleft license ? (2)

bug1 (96678) | about 7 months ago | (#46907363)

The only way corporations are going to carry their fari share of the burden is if they are legally required to. The only way to do that is to make them pay with $, its all they understand.

Libre software is being used by corporations to build gold-plated cages for consumers. Its time to stop playiong their game.

Our glorious leaders are fundamentally wrong on the concept that software tshould be "free to use for any purpose", it should be free to use for the purpose of ensalving us.

Re:Time for a non-commercial copyleft license ? (1)

bug1 (96678) | about 7 months ago | (#46907375)

it should not be free to use for the purpose of ensalving us.

Duoh

The problem is not free. The problem is "free" (3, Insightful)

Opportunist (166417) | about 7 months ago | (#46907399)

The problem is not that the software is free (as in open). The problem is that people (and companies even more) perceive it as free (as in beer). That that's the main misconception.

Companies want to cut corners by using OSS. They don't do it because it's easier to review, easier to adapt or easier to find someone who can audit it sensibly. They want it because they can grab it and use it without having to pay anyone for it.

And that simply won't fly. Because that entails the "can't someone else do it?" attitude. Yeah, the code should be reviewed. But someone else will do that, we needn't spend money on that. And it should be audited, but can't someone else do it and we save some money?

Funny enough, the fact that anyone can review, audit and fix things is also the reason why nobody does it. It's a bit like that job in your company that anyone could do, and since anyone can do it, everyone relies that someone else will. There's so many who can, at least ONE of them will. Right? RIGHT?

And since the fact that it is "cost neutral" (to avoid saying the ambigious free) is one of the criteria, if not actually THE criterion, why an OSS product is chosen 999 out of 1000 times in a corporation environment, you may rest assured that the same cheapskates that chose OSS because they can pinch a penny will not spend it on auditing it.

Re:The problem is not free. The problem is "free" (1)

walterbyrd (182728) | about 7 months ago | (#46907591)

You are ignoring the fact that paid software is no better.

The problem is both forms of free. (3, Interesting)

sirwired (27582) | about 7 months ago | (#46907607)

One follows from the other. If your Free license says that anybody that works on your product is required to give away their efforts for free-beer free, it should not be surprising that it's difficult to find companies to spend money on something (like paying a developer) that won't give them a competitive advantage. This, incidentally, is why we have taxes; it forces people (and companies) to pay for the common good. We wouldn't have much in the way of public works if they relied solely on charitable donations and user fees.

This is a persistent weakness of Free software, but you'll never get RMS to admit that money to pay for programmers does not magically fall from the sky. People are cheap, and if they can get something for free, it's no shock that few of them will pay for it.

In my mind, an ideal software license would have the following;

1) Mandatory Code Release (This gives you some software Freedom)
2) Payment required to copy and/or use the software.
3) Some sort of revenue sharing scheme so that any contributors to the code receive a portion of the funds collected.

Think of it like a "software co-op license"

(This, incidentally, is how industry standards commonly work in the hardware business. You want to implement the IEEE 1234.567 standard? You pay up a standard fee per implementation, and that's doled out to the contributing companies.)

Re:The problem is both forms of free. (0)

Anonymous Coward | about 7 months ago | (#46908225)

Your software license will fail in the market because it is based on hyperinflation...

1/10 times 10 is not 1 (0)

Anonymous Coward | about 7 months ago | (#46907465)

I just have to comment that if you have 10 of 1/10 developers, you don't have 1 developer. Instead you have 10 developers that are not focused on that project. If that is hard to understand, lets take a car analogy. We have a car that is driving by one driver. After a while, the driver is teleported away and another person is teleported to the car to continue driving from there. And the same is repeated multiple times. Would you like to be a passenger in a car like that? If not, why do you think having non 100% developer is a good idea.

Actually, heartbleed was pretty affirming.. (1)

Junta (36770) | about 7 months ago | (#46907535)

Timing is pretty convenient. We have a tale of two exploits:
-Heartbleed. Open source project. Huge catastrophic bug, existed as of beginning of 2012. Fix available pretty much immediately upon discovery. As a result, significant resources are pouring in to proactively examine OpenSSL, some fixing and some forking OpenSSL. One way or another, the fix was immediate and concerned parties are empowered to do what they think is needed and the open source world will have risks mitigated as well as closed source being able to make their own call since it is BSD licensed.

-MSIE vulnerability. Closed source. Analagously large bug (albeit client side instead of server side by sheer luck), has existed since at the very latest 2008, but probably as of 2001. Fix was over a week in coming after disclosure. If you are an organization standardized on IE, you were largely SOL with respect to a fix (though mitigation through tedious security settings was possible). Maybe MS ramps up an internal effort to root out more of these, maybe they don't. They seem to have been in a more vigilant stance as a matter of course and that wasn't enough to stop it.

So in other words, very important projects with huge responsibilities can cock up. They can be open source, they can be closed source. The practical lower bound of resources to address issues in both cases will be small when no one knows something is wrong, but the upper bound when concern happens is much higher in open source.

Some have argued that the 'any bug is shallow with enough eyes' was proven wrong with heratbleed. Discovering security bugs are always more tricky than the bug intended to be considered in that philosophy, but even then once discovered, the bug was very very shallow.

Stunning Slashdot Insight of the Day (1)

sirwired (27582) | about 7 months ago | (#46907537)

Who woulda' thunk it? You Get What You (Collectively) Pay For. It doesn't matter if "payment" is in the form of money or manpower. If software you use is built by labor effort much smaller (in cost and/or size) than is usually needed for a project of a particular size or complexity, it should come as no shock that the product ends up not being the quality it needs to be.

"Under-resourced" assumes static resources (1)

redelm (54142) | about 7 months ago | (#46907587)

Oh dear, yet another Harvard BizSch / Big Business canard that FOSS is governed by the contraints of closed software. Resources only matter when they are restricted -- ie only [certain] employees can fix the code.

FOSS does not have this restriction _AT_ALL_ and that is one of it's greatest strengths. Torvald's "With enough eyeballs, all bugs are shallow." Yes, limited resources may mean it takes a while for an offical patch (still quicker than MS) but unofficial patches can and are generated by anyone interested and capable within minutes.

Yeah, OSS magically creates more eyeballs (1)

sirwired (27582) | about 7 months ago | (#46907673)

When you have a widely-used, yet complex, product that nobody has to pay for, doesn't require tech support (unlike, say, an OS), doesn't have any provisions for proprietary (i.e. non-free) features, and isn't really much fun to work on (unlike, say, a compiler), it should come as no shock that it's somewhat difficult to recruit enough eyeballs to look for all those bugs.

Yep, a patch can be issued quickly, but a project with sufficient access to resource ahead of time breaks less to begin with.

Gift vs. Exchange vs. Planned Economies (1)

Paul Fernhout (109597) | about 7 months ago | (#46907611)

They overlap and interact in unexpected ways, along with the theft economy and the subsistence economy. OpenSSL is a prime example of these overlaps and the complexities of trying to manage all that socially. Should the planned government economy make the code work via tax-supported staff of a government agency? Should businesses exchange money for more development work and support services specific to their needs? Should more developers just donate their time or individuals donate their funds to make OpenSSL work better? What mix makes sense? Especially for software of such global importance?

I talk about the interaction of those five types of economic transactions in general in a youtube video.
https://www.youtube.com/watch?... [youtube.com]

Number of Developers/Maintainers? (1)

wisnoskij (1206448) | about 7 months ago | (#46907637)

So how many developers does OpenSSL need for maintaining the code base?

not what happened (1)

stenvar (2789879) | about 7 months ago | (#46907689)

Heartbleed was the result of someone adding an optional and useless feature to OpenSSL that should never have been added in the first place. That's not a problem with having insufficient resources, it's a problem with poor management.

If it has anything to do with resources, it's a sign that people on the project have too much free time on their hands, because if there had been anything important to be done, people wouldn't have the time to add this feature.

Every commercial project I've seen is understaffed (3, Insightful)

plopez (54068) | about 7 months ago | (#46907769)

Understaffed to save money with a huge backlog, insane deadlines, cut corners, and massive scope creep. So what's his point?

Re:Every commercial project I've seen is understaf (0)

Anonymous Coward | about 7 months ago | (#46908031)

The point is a closed source project isn't going to accept patches from some random dude on the internet.

A False Conflation (1)

Rambo Tribble (1273454) | about 7 months ago | (#46907859)

Inadequate resources is hardly the exclusive domain of Open Source projects. Nor is a failure to adequately vet code particularly reflective of an open development model. The insecure, buggy code in the devices used in the world's infrastructue display those facts, perfectly. Device manufacturers tend to focus on hardware, underfund and understaff their software development and demand unrealistic delivery times. These are, by and large, proprietary endeavors.

Also look at how Firefox turned to shit (-1)

Anonymous Coward | about 7 months ago | (#46908007)

when Google started funding them. Open Source projects are always hard up for cash and can be easily influenced by whoever cuts them some checks.

The truth is, like communism, open source is a failed experiment.

Re:Also look at how Firefox turned to shit (1)

gnupun (752725) | about 7 months ago | (#46908359)

Open source is not different from communism... Open source is principles of communism applied to software.

You get what you pay for. (1)

mikein08 (1722754) | about 7 months ago | (#46908115)

I don't trust "free" software. And never will. If you pay for software and it does not perform, you probably have a comeback on the vendor. If "free" software does not perform, you have no comeback on anyone, OpenSSL being exhibit one. And in case anyone was wondering, the ONLY reason "free" software has been so widely accepted by corporations is because it is supposedly "free". IMHO, free = crappy.

And this differs from commercial software... (1)

Max Threshold (540114) | about 7 months ago | (#46908293)

...where the CEO's idea of the time it takes to develop anything is off by a factor of five, and every developer is also an IT guy and half a dozen other things, how exactly?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?