Forgot your password?
typodupeerror
Security Open Source

Free Can Make You Bleed: the Underresourced Open Source 175

Posted by timothy
from the superheroes-of-the-real-world dept.
jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."
This discussion has been archived. No new comments can be posted.

Free Can Make You Bleed: the Underresourced Open Source

Comments Filter:
  • by Anonymous Coward on Saturday May 03, 2014 @08:33AM (#46907183)

    It is over fragmented

  • Lol whut? (Score:5, Insightful)

    by Anonymous Coward on Saturday May 03, 2014 @08:35AM (#46907191)

    If your business relies "critically" in its functions on such a piece of software, how would you as a business owner ensure the continuity of the "critical" function?

    A. Hire someone to maintain and work on that software.
    B. Whine about someone not giving you their time for free.
    C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL (though better packaged and you get to chat with the smooth sales rep)

    What do you do?

  • Cheap ass gits. (Score:5, Insightful)

    by serviscope_minor (664417) on Saturday May 03, 2014 @08:45AM (#46907227) Journal

    If your business is depending *critically* on a piece of free software then don't be such a cheapass git. Hire a developer or allocate some of your budget to fund the project.

    Problem solved.

  • BS (Score:5, Insightful)

    by NapalmV (1934294) on Saturday May 03, 2014 @08:55AM (#46907271)
    How many programmers does Microsoft have? Are their products bug free as a result?
  • by Jody Bruchon (3404363) on Saturday May 03, 2014 @09:03AM (#46907319)
    OpenSSH relies on OpenSSL, so OpenSSH is only partially audited if OpenSSL isn't also being examined.
  • by paskie (539112) <pasky&ucw,cz> on Saturday May 03, 2014 @09:11AM (#46907341) Homepage

    In some cases, fragmentation is bad. In case of critical infrastructure, fragmentation is great!

    Having multiple interoperating implementations has been always one of the basic requirements for internet standards, it ensures future growth and leaving out the worst warts, dependency on undocumented behavior etc. But most importantly, if a bug is found in one of the implementations, it cannot take out the complete internet infrastructure because large parts of it are running a different implementation. Even if a bug is found on a protocol level, some implementations may not implement that feature or implement it slightly differently and aren't involved. Fragmentation is essential to the robustness of internet.

  • by Anonymous Coward on Saturday May 03, 2014 @09:14AM (#46907353)

    The problem is that with "many eyes" all the eyes are assuming some other eyes are looking.

  • by Opportunist (166417) on Saturday May 03, 2014 @09:23AM (#46907399)

    The problem is not that the software is free (as in open). The problem is that people (and companies even more) perceive it as free (as in beer). That that's the main misconception.

    Companies want to cut corners by using OSS. They don't do it because it's easier to review, easier to adapt or easier to find someone who can audit it sensibly. They want it because they can grab it and use it without having to pay anyone for it.

    And that simply won't fly. Because that entails the "can't someone else do it?" attitude. Yeah, the code should be reviewed. But someone else will do that, we needn't spend money on that. And it should be audited, but can't someone else do it and we save some money?

    Funny enough, the fact that anyone can review, audit and fix things is also the reason why nobody does it. It's a bit like that job in your company that anyone could do, and since anyone can do it, everyone relies that someone else will. There's so many who can, at least ONE of them will. Right? RIGHT?

    And since the fact that it is "cost neutral" (to avoid saying the ambigious free) is one of the criteria, if not actually THE criterion, why an OSS product is chosen 999 out of 1000 times in a corporation environment, you may rest assured that the same cheapskates that chose OSS because they can pinch a penny will not spend it on auditing it.

  • by LinuxIsGarbage (1658307) on Saturday May 03, 2014 @09:32AM (#46907437)

    ....the 'many eyes' phenomenon,....

    And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.

    This "you can't get anything bad through because the source is freely available" has proven to be horseshit.

    Some people are under the assumption if you release something open source, you will get hundreds of volunteers lining up to work on it. And when they do, they will work on EVERYTHING. Truth is unless your project is "sexy" it's hard to get developers. Look at Linux kernel, a lot of the development is done by paid developers (not a lot sexy about the kernel). Look at where projects spend their focus: Firefox reinventing the UI again, Compiz Wobbly windows, usually any application that can be skinned, has 400 skins for every useful plugin. Meanwhile things like performance, or user documentation gets neglected.

    Don't get me wrong, I think there's benefits to Open Soruce development models, I just don't think open sourcing something means hundreds of people are looking at it.

  • by Barsteward (969998) on Saturday May 03, 2014 @09:39AM (#46907475)
    But you do get a "lot less bad though". Compare open source to closed source and compare the problems and the number of those problems. Close source security problems lead the way by a long margin.

    No system is perfect but open source is closer to that ideal than closed source.
  • by plopez (54068) on Saturday May 03, 2014 @10:28AM (#46907769) Journal

    Understaffed to save money with a huge backlog, insane deadlines, cut corners, and massive scope creep. So what's his point?

  • Re:Lol whut? (Score:4, Insightful)

    by JaredOfEuropa (526365) on Saturday May 03, 2014 @10:55AM (#46907899) Journal
    A. In a lot of cases this is a managable risk. You don't even need a full time employee; if an issue occurs (and if you manage it right, you'll often know about it ahead of time) you just hire a troubleshooter contractor for a few weeks to fix things. We've done this a few times with both FOSS software, and Mickey Mouse in-house software (think Access / VBA stuff), and in all cases the fix was faster and cheaper to apply than with comparable proprietary software.

    And I'll let you in on a little secret: some teams writing proprietary software are also understaffed. The difference is that you won't know that they cut corners until things go bad. On the plus side: you get to blame the vendor instead of being blamed for your reckless choice of FOSS.
  • by Anonymous Coward on Saturday May 03, 2014 @11:02AM (#46907923)

    why are they wasting time and effort implementing OpenSSL extensions people don't actually need?

    You say that like there was some kind of central management decision to implement heartbeat instead of something else. There wasn't. There was just some guy who sacrificed his personal time to implement a feature that may be useful to some (maybe not to you). What have you done for OpenSSL so far?

  • by lgw (121541) on Saturday May 03, 2014 @02:41PM (#46909073) Journal

    That assumes it's not possible to get software right. For a small enough code base (and 500k lines of code it pretty small), that's simply not true. The most robust solution is a monoculture around a bug-free product.

    The problem is that getting there takes a lot of manpower for some pretty boring work, and that takes funding. But the funding required is pretty trivial on the scale of the companies who depend on OpenSLL. This is the kind of product where Google et al should fund hiring every security expert that there is in the world to independently crawl the code, fizz test, all the usual tricks. Then offer a $1 million bug bounty. Same for SSH. It's pathetic that we can't get this basic plumbic right, when it's just a matter of resources, and damn cheap on the scale of the companies to which it matters.

    If we has an NSA that actually did it's original, defensive job we'd have this done already at taxpayer expense (and money well spent, for once), but we see that's simply not possible, so it's up to the private sector to step up.

The universe does not have laws -- it has habits, and habits can be broken.

Working...