Free Can Make You Bleed: the Underresourced Open Source 175
jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."
It's not underresourced (Score:1, Insightful)
It is over fragmented
Lol whut? (Score:5, Insightful)
If your business relies "critically" in its functions on such a piece of software, how would you as a business owner ensure the continuity of the "critical" function?
A. Hire someone to maintain and work on that software.
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL (though better packaged and you get to chat with the smooth sales rep)
What do you do?
Cheap ass gits. (Score:5, Insightful)
If your business is depending *critically* on a piece of free software then don't be such a cheapass git. Hire a developer or allocate some of your budget to fund the project.
Problem solved.
BS (Score:5, Insightful)
Re:Slant: look who is writing the article (Score:2, Insightful)
Re:It's not underresourced (Score:5, Insightful)
In some cases, fragmentation is bad. In case of critical infrastructure, fragmentation is great!
Having multiple interoperating implementations has been always one of the basic requirements for internet standards, it ensures future growth and leaving out the worst warts, dependency on undocumented behavior etc. But most importantly, if a bug is found in one of the implementations, it cannot take out the complete internet infrastructure because large parts of it are running a different implementation. Even if a bug is found on a protocol level, some implementations may not implement that feature or implement it slightly differently and aren't involved. Fragmentation is essential to the robustness of internet.
Re:Honor only limit (Score:5, Insightful)
The problem is that with "many eyes" all the eyes are assuming some other eyes are looking.
The problem is not free. The problem is "free" (Score:4, Insightful)
The problem is not that the software is free (as in open). The problem is that people (and companies even more) perceive it as free (as in beer). That that's the main misconception.
Companies want to cut corners by using OSS. They don't do it because it's easier to review, easier to adapt or easier to find someone who can audit it sensibly. They want it because they can grab it and use it without having to pay anyone for it.
And that simply won't fly. Because that entails the "can't someone else do it?" attitude. Yeah, the code should be reviewed. But someone else will do that, we needn't spend money on that. And it should be audited, but can't someone else do it and we save some money?
Funny enough, the fact that anyone can review, audit and fix things is also the reason why nobody does it. It's a bit like that job in your company that anyone could do, and since anyone can do it, everyone relies that someone else will. There's so many who can, at least ONE of them will. Right? RIGHT?
And since the fact that it is "cost neutral" (to avoid saying the ambigious free) is one of the criteria, if not actually THE criterion, why an OSS product is chosen 999 out of 1000 times in a corporation environment, you may rest assured that the same cheapskates that chose OSS because they can pinch a penny will not spend it on auditing it.
Re:Honor only limit (Score:5, Insightful)
....the 'many eyes' phenomenon,....
And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.
This "you can't get anything bad through because the source is freely available" has proven to be horseshit.
Some people are under the assumption if you release something open source, you will get hundreds of volunteers lining up to work on it. And when they do, they will work on EVERYTHING. Truth is unless your project is "sexy" it's hard to get developers. Look at Linux kernel, a lot of the development is done by paid developers (not a lot sexy about the kernel). Look at where projects spend their focus: Firefox reinventing the UI again, Compiz Wobbly windows, usually any application that can be skinned, has 400 skins for every useful plugin. Meanwhile things like performance, or user documentation gets neglected.
Don't get me wrong, I think there's benefits to Open Soruce development models, I just don't think open sourcing something means hundreds of people are looking at it.
Re:Honor only limit (Score:5, Insightful)
No system is perfect but open source is closer to that ideal than closed source.
Every commercial project I've seen is understaffed (Score:4, Insightful)
Understaffed to save money with a huge backlog, insane deadlines, cut corners, and massive scope creep. So what's his point?
Re:Lol whut? (Score:4, Insightful)
And I'll let you in on a little secret: some teams writing proprietary software are also understaffed. The difference is that you won't know that they cut corners until things go bad. On the plus side: you get to blame the vendor instead of being blamed for your reckless choice of FOSS.
Re:Slant: look who is writing the article (Score:2, Insightful)
why are they wasting time and effort implementing OpenSSL extensions people don't actually need?
You say that like there was some kind of central management decision to implement heartbeat instead of something else. There wasn't. There was just some guy who sacrificed his personal time to implement a feature that may be useful to some (maybe not to you). What have you done for OpenSSL so far?
Re:It's not underresourced (Score:4, Insightful)
That assumes it's not possible to get software right. For a small enough code base (and 500k lines of code it pretty small), that's simply not true. The most robust solution is a monoculture around a bug-free product.
The problem is that getting there takes a lot of manpower for some pretty boring work, and that takes funding. But the funding required is pretty trivial on the scale of the companies who depend on OpenSLL. This is the kind of product where Google et al should fund hiring every security expert that there is in the world to independently crawl the code, fizz test, all the usual tricks. Then offer a $1 million bug bounty. Same for SSH. It's pathetic that we can't get this basic plumbic right, when it's just a matter of resources, and damn cheap on the scale of the companies to which it matters.
If we has an NSA that actually did it's original, defensive job we'd have this done already at taxpayer expense (and money well spent, for once), but we see that's simply not possible, so it's up to the private sector to step up.