Forgot your password?
typodupeerror
Security Open Source

Free Can Make You Bleed: the Underresourced Open Source 175

Posted by timothy
from the superheroes-of-the-real-world dept.
jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."
This discussion has been archived. No new comments can be posted.

Free Can Make You Bleed: the Underresourced Open Source

Comments Filter:
  • Honor only limit (Score:0, Interesting)

    by Anonymous Coward on Saturday May 03, 2014 @08:34AM (#46907185)

    If a bad actor, such as a government or an illegal organization wanted to inject a zero day flaw, the current system makes it awfully cheap. Heck open-source developers aren't even required to say a loyalty oath before submitting their changeset.

  • by eexaa (1252378) on Saturday May 03, 2014 @08:42AM (#46907215) Homepage

    From a bit different perspective (largely unix-practical) -- when not having enough resources, you are forced to keep stuff simple. That's usually good, isn't it?

    Anyway, I always wondered why is OpenSSL such a bloated pile of code. It does one god damn gazillion things tightly packed. Now, TLS implementation itself is pretty simple, Key management tools are pretty simple, PKCS verification tools are pretty simple, mathematics behind that is pretty simple, commandline tools for quickusing the maths are simple, relationship between those entities ("APIs") are well-defined and usually clear. Who stuffed all of it into one project?!

    PS. Bonus paranoia&FUD I saw today: http://pastebin.com/gjkivAf3 [pastebin.com]

  • While you have a point, you could also take away from the article that OpenSSL needs money.

    Good thing, then, that that's being actively taken care of. Ars Technica just posted an article recently that they're getting a lot more donations now and some large companies pledged to donate $50,000 yearly for 3 or 5 years. That should definitely help for a while, though I hope that after those 3 or 5 years have passed things don't go back to the way they were.

  • by MightyYar (622222) on Saturday May 03, 2014 @09:13AM (#46907345)

    Despite the slant, I actually came away impressed at the demonstration of efficiency: 2 developers are doing the work of perhaps thousands if the tools weren't open source.

  • by sirwired (27582) on Saturday May 03, 2014 @10:01AM (#46907607)

    One follows from the other. If your Free license says that anybody that works on your product is required to give away their efforts for free-beer free, it should not be surprising that it's difficult to find companies to spend money on something (like paying a developer) that won't give them a competitive advantage. This, incidentally, is why we have taxes; it forces people (and companies) to pay for the common good. We wouldn't have much in the way of public works if they relied solely on charitable donations and user fees.

    This is a persistent weakness of Free software, but you'll never get RMS to admit that money to pay for programmers does not magically fall from the sky. People are cheap, and if they can get something for free, it's no shock that few of them will pay for it.

    In my mind, an ideal software license would have the following;

    1) Mandatory Code Release (This gives you some software Freedom)
    2) Payment required to copy and/or use the software.
    3) Some sort of revenue sharing scheme so that any contributors to the code receive a portion of the funds collected.

    Think of it like a "software co-op license"

    (This, incidentally, is how industry standards commonly work in the hardware business. You want to implement the IEEE 1234.567 standard? You pay up a standard fee per implementation, and that's doled out to the contributing companies.)

Money will say more in one moment than the most eloquent lover can in years.

Working...