Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Should Open Source Software Expire? 565

Daffy writes "Jon Lasser at SecurityFocus has an idea for combating the tendancy most sysadmins have to leave old versions of software running long after they're known to have security holes. He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."
This discussion has been archived. No new comments can be posted.

Should Open Source Software Expire?

Comments Filter:
  • Bad idea (Score:4, Insightful)

    by drodver ( 410899 ) on Wednesday April 03, 2002 @04:38PM (#3279621)
    Open Source is about not forcing you to do anything. Besides the code could just be removed. Who is a developer to say how I should administer my box.
    • Re:Bad idea (Score:3, Insightful)

      by gilder ( 267022 )
      I agree that the user/admin should have the freedom to allow it to expire. How about making it a configure option? Say expire on a date I give or a suggest date from the author. Give the program an email address to nag if it expires?
      • Re:Bad idea (Score:3, Interesting)

        by gotan ( 60103 )
        That way i'd have to configure each piece of software, or make it all depend on a special configure file. Anyway i don't find it appropriate to patch each app in such a way. It'd be much easier to regularly run an 'expire' job that simply updates a list of expired software (from the net) and compares it against the versions in the rpm-database.

        Then the user/admin can decide what expire should do: maintain a list of expired software (maybe with different warning levels, from "obsoleted by a new version" to "security hole, patch now"), mail him, shutdown the service, update automatically (shiver), whatever. The admin can also decide how often 'expire' should run, or, in case of a static ip, maybe even allow the 'expire-server' to contact his machine.

        The method of comparing against a list on the net (or maybe on some update media) is better than expiring after a preset time. And selferasing software is simply nonsense. imagine software development is discontinued, or you just can't reach the net, and thus not update anyway, or an admin is on holidays. He'd probably prefer the firewall up and running, even if outdated, than having no firewall at all.

        Also maybe other projects depend on a certain piece of software. Forcing to switch versions at some preset date isn't helpfull at all in that case. There are so many possible reasons why someone might want to hold onto an old app a little longer, maybe even for 20-30 years. This "force to upgrade" practice could come right out of microsofts book of marketing, but it doesn't make sense for open source software.

        Maybe he should've written that piece 2 days ago ...
      • Bad security too (Score:4, Insightful)

        by Zeinfeld ( 263942 ) on Wednesday April 03, 2002 @06:18PM (#3280419) Homepage
        The assumption that newer versions of programs are more secure is simply wrong. I have had several systems break after someone replaced a verified secure piece of code with an unverified insecure one.

        Case in point was when someone decided to install the latest version of sendmail with the usual horde of bugs over a version of QMail.

        The biggest problem when someone downloads new versions of software however is that they are typically installed with the wrong defaults or insecure defaults, or they blow away parts of the security profile to allow them to be installed.

        The type of system build I would typically use probably has less than 10% of the typical Linux distribution. The eliminated portions are gone for good reason - if the feature isn't needed it goes. So having someone reinstall the components I have removed is a major problem.

        The other issue to beware of is any form of automated update that does not have very stringent controls to validate the authenticity of the replacement code. Otherwise the update mechanism becomes a potential backdoor. Don't believe that downloading the latest source via FTP is the solution either. All I need to do is poinson your DNS and you are downloading the version with my trojan.

        What is needed is some form of software resource database that keeps track of the version of each software package installed, differences between that and the standard installation etc etc. Ideally there would be integration with something like tripwire. The ideal would be to have the type of mechanism that the .NET security framework has in which you can require software components to be signed by an authorised source in order to run.

        Building and maintaing such a system would be very tedious and expensive to do well however, if it isn't done well it is no good.

        The sell by date proposal is simply clueless, the guy does not appear to have much real security experience, he is just repeating the dogma.

    • Re:Bad idea (Score:2, Insightful)

      by Morel ( 67425 )
      Besides, how many times have we come across 'new and improved' versions of our favorite software that just plain suck?

      Careful sysadmins don't just set the Automatic Upgrade swith to "Full Throttle", they evaluate stuff before deploying it.

      Morel
    • Open Source is about not forcing you to do anything

      EXACTLY.

      You're taking the "Free" out of "Free software".

      Only evil proprietary companies force you to do stuff, right? ;-)
    • Re:Bad idea (Score:5, Insightful)

      by Galen Wolffit ( 188146 ) on Wednesday April 03, 2002 @04:55PM (#3279842)
      Oi, I agree, but for different reasons. Yes, the code could be commented out - so what? Any code that secures an existing hole can be commented out, thus re-opening the hole.

      I think it's a bad idea to actually _disable_ a running program, because doing so can cause problems that are not necessarily immediately traceable back to the disabled program. Instead, the program should raise some sort of persistent alert, via email, logfiles, or whatever, at some interval, alerting the administrator that there is an out of date program running.
    • Re:Bad idea (Score:3, Insightful)

      by 4of12 ( 97621 )

      I agree that putting in arbitrary time locks is not a good approach to making open software secure.

      Fundamentally, the best approach is to encourage sysadmins and those responsible for hiring sysadmins to take security as a serious matter.

      Practically, I'd say a better approach is to have open source security scanning software that sysadmins can use to easily diagnose whether their systems and applications have a potential security problem. The raw ingredients for something like this are already out there, but I'm not sure if they are conveniently packaged.

      It's one thing to see CERT and CIAC vulnerability postings and mull over whether some random application might occasionally open up a weird network port and be vulnerable to a BO, but that requires some investment of time.

      A service that allows you to download and run a trusted, signed test application for each of the vulnerabilities you see on Bugtraq would be a real time saver for most sysadmins, who have quite a lot to do already.

  • by xyzzy ( 10685 ) on Wednesday April 03, 2002 @04:38PM (#3279630) Homepage
    As if being kept on the upgrade treadmill by Microsoft isn't bad enough!

    You can't pick an arbitrary point in time when software is "too old", or "known to have security holes!" If you could do the latter, you'd just fix the security holes...!
  • Erm, no (Score:5, Insightful)

    by adamwright ( 536224 ) on Wednesday April 03, 2002 @04:39PM (#3279636) Homepage
    I have old internal boxes that are way way out of date, but safely firewalled away doing just what I want them to do. Rebuilding those every few months/years (or having to remove timebombs from software before I install it) == Bad idea.

    I agree that software should assist admins in keeping it uptodate, but honestly, legitimate users shouldn't be affected if an admin is incompetant or lazy.
    • Re:Erm, no (Score:2, Insightful)

      by 3Bees ( 568320 )
      Along these lines, it might be a good idea if package management systems kept track of such stuff (queried their central databases about known security holes/outdated programs) and notified admins.

      At least this would remove any burdensome mandatory nature from the effect while still satisffying the perceived demand.
  • Or not (Score:4, Insightful)

    by klosskorban ( 560039 ) on Wednesday April 03, 2002 @04:39PM (#3279637) Homepage
    Why not just have it a feature of your package management system? IE. the not yet finnished, PKGtool 2.0 system
    • Because (Score:3, Insightful)

      by why-is-it ( 318134 )
      Why not just have it a feature of your package management system?

      Because it would be foolish for a SysAdmin to load fixes/patches without testing them first. There have been occasions in which a patch will break something else that the application does. (Checkpoint FW-1 patches are notorious for this) There have been patches that are issued and then recalled because of problems with the patch itself. Who would want to put production systems at risk by having critical code installed automatically before the SysAdmin would have the chance to test it.

      If someone wants to implement something like this, all I can say is that I hope you take regular back-ups and validate your tapes.

      You will need them.
  • I think.... (Score:4, Interesting)

    by Bob McCown ( 8411 ) on Wednesday April 03, 2002 @04:40PM (#3279641)
    I think that the premise that all computers are exploitable is a wrong one to persue. Granted, any idiot that leaves an exploitable machine running on the net gets what he deserves, yet in this age of DDOS viruses/trojans, the damage goes far beyond a single machine. BUT, I dont think FORCING an upgrade is the way to go. If I have a machine on an internal network merrily pluggin away for years, why break it if its working?
  • This sounds like something that Microsoft would do (or already does).
  • After all, that is part (a large part) of what Open Source is about. Options.

    Now, as a programmer, I may not want to add changes to an older version that I am not working on anymore, so I am within my rights to say, "If you want that additional functionality, you have two choices. Upgrade, or do it yourself."

    Again, options.

    EFGearman
    --
    • (I work for a medical device company)

      Every time medical company (i.e. a drug manufacturer or a medical device manufacturer) implements new software, even if it's just an upgrade to, say, their call handling software for their tech support department, a validation process has to be performed. This includes:

      a risk analysis to determine HOW much validation has to be done according to how much harm can be done (and yes, there is harm even in the tech support software)

      creating a test plan

      testing the software to make sure it works to intended use

      completing validation paperwork documenting that the testing was actually done

      creating a validation report and test summary detailing your findings

      keeping all these records on file for a long time so the FDA does not land on you like a hungry 2-year-old on a twinkie

      If you're a medical company and you DON'T plan on doing all this, you can expect a write-up (which must be responded to) at your next FDA audit. If you don't respond to the write-up, hire a lawyer cause the FDA is gonna shut you down. This is a large part of why we've kept around some of the DOS applications we use--no one here has the extra time to do all the validation on new software.

  • Expiration. (Score:5, Interesting)

    by saintlupus ( 227599 ) on Wednesday April 03, 2002 @04:40PM (#3279648)
    He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

    Interesting idea, but the assumption that people will only want to run newer software seems a bit flawed to me. To quote the genius Anonymous, "Assumption is the mother of all fuck-ups."

    Last night I installed RH 6.2 on an old P75 I picked up somewhere, and ended up installing an old version of openssh on it (along with a bunch of other older stuff) to save disk space. Under this scheme, I wouldn't be able to; despite the fact that the machine is behind a firewall, I'd be bullied into running larger, more secure software.

    The computer is mine. The software is mine. And, should there be an issue, the blame is mine. I don't want anyone who thinks they're smarter than me fucking around with my computers. If I did, I'd run Windows, now wouldn't I?

    --saint
    • Re:Expiration. (Score:3, Insightful)


      The computer is mine. The software is mine. And, should there be an issue, the blame is mine.

      *BUT*, think CodeRed/Nimda-like - your problem could also become mine and I sure as hell don't want that!

    • Re:Expiration. (Score:3, Insightful)

      by Alan Shutko ( 5101 )
      We have an employee flying to Tallahassee as I write this because a version of RH6.0 had an old version of ssh on it, which was perfectly safe because it was behind a firewall. Until, of course, the firewall is changed to allow ssh... and someone needs to relay the OS because the machine was hacked.

      Seriously, how much space did using a version of ssh with security holes save you? Was it significant, or are you rationalizing your negligence?
  • by Markusis ( 46739 ) on Wednesday April 03, 2002 @04:40PM (#3279651) Homepage Journal
    Wouldn't it make more sense to include something that checked the web for available updates and presented them to a sysadmin as an option or a recommended upgrade. It's silly to have something "expire" when it can just be patched or upgraded.
  • Comment removed based on user account deletion
  • heh (Score:4, Funny)

    by Ooblek ( 544753 ) on Wednesday April 03, 2002 @04:41PM (#3279662)
    like a Blade Runner replicant when it reaches a certain age, forcing an update

    Uh, they DIED when they expired. Probably not a good thing to let your web server die over a long holiday weekend.

    (Insert "Tears in the Rain" speech here.)

    • by mav[LAG] ( 31387 ) on Wednesday April 03, 2002 @05:50PM (#3280241)
      [root@owl.tyrell.com] /usr/local/apache/bin/apachectl start
      Starting httpd - please wait...
      How old am I?
      ^C
      My birthday's April 10 2017 - how long do I live?
      ^C^C^C^C
      Nothing is worse than having an itch you can never scratch!
      ^C^C^ZC^Z^C^Z^CZ^C^C^C^C^Z^C^C^C
      Wake up! Time to die!
      Starting httpd... [FAILED]
      mod_leon died prematurely...
      [root@owl.tyrell.com]#
  • Just because there's a newer version doesn't mean it's better for an individual's purpose than what is currently being run. It could even break a mission-critical application.

    Just what we need -- another group of folks making decisions they have no reason, right or responsibility to make.

    Write software, let the users who deploy it take the responsibility for making changes. Or is individual choice and responsibility no longer important?
  • Who audits the new version? This is only well motivated if you're sure the new version is *always* a "better" version than the old.

    Now what the hell does that mean in the general case?
  • No way (Score:2, Interesting)

    by bsdparasite ( 569618 )
    Why should I keep installing new software on my machine? Why should it not work the way it did before? This is a Microsoft based model for people who are obsessive with updating their software. I would love to use the same program that I used 3 years ago, but with a better OS base with more support for new devices. I don't care for bloated features. Just something that makes my day.

    One ring to rule them all..the O in OpenBSD

  • Absolutely (Score:3, Interesting)

    by geordie ( 258181 ) on Wednesday April 03, 2002 @04:42PM (#3279681) Homepage
    I've often thought that expiry times in software would be a good thing. Not nessesarily in Paid for software, but in free software where free updates are readily available. Would be great for the web.... imagine knowing that you will never have a Netscape 3.x or IE 3.x visitor to your site again... or knowing that on such and such a date you wont have to support Netscape 4

    The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

    • Re:Absolutely (Score:5, Insightful)

      by tswinzig ( 210999 ) on Wednesday April 03, 2002 @05:27PM (#3280116) Journal
      The only downside I can see is what happens when you've using some software and the developer stops developing it....your software passes its expiry date...no updates are available... what then?

      What then is that you realize what a horrible fucking idea this is in the first place.
  • I would disable it.
    If it is working, why mess with it?
    I'm not talking about a publicly visible firewall.
    But what about embedded apps, laboratory code.

    Could you imagine home/office mini servers just dying one day?
    When it disables will you be able to use it long enough to upgrade or is it dead?
    I wouldn't want it, of course I apt my stuff regularly anyway.
  • by TheFlyingGoat ( 161967 ) on Wednesday April 03, 2002 @04:43PM (#3279693) Homepage Journal
    I don't think the software should automatically update itself or expire, but rather have some way of communicating with the sysadmin. For example, if you use the CPAN module for perl in shell mode, it'll tell you if there's a new version of itself available, and how to update. Most importantly, it does so unobtrusively (as opposed to some programs that get annoying about it).
  • I have no problem with it. Anyone who has the brains to hunt through the source and remove the time limit should also be smart enough to understand the consequences of such an action. People who are not smart enough to do it themselves (or hire someone who is) should be grateful for whatever they get. If they whine about it, you can always offer to refund the purchase price.
  • This would be a Bad Idea in embedded devices, because they may very well be designed not to be upgraded.

    This would also be a Bad Idea in any installation where the person maintaining a machine may change (which covers just about everywhere). It's hard enough keeping track of everything on your own machine - what about a machine you inherit from a previous administrator?

    The machine suddenly stops doing something vital when the software expires, and you have to track down what and where it was.

    Better just to write "review the installed version of Widget X" in your day planner at regular intervals.
  • Well, there goes my uptime. Reboot and upgrade required, your kernel is about to expire. The server is going down now.
  • Last time I looked, they wanted you to take a run on the treadmill verey year or so.

    Why, why, why would you do this. If a piece of software is being distributed with no support, there is no reason for anyone to want to replace a working piece of software that does the job that it is meant to do with another one that might or might not work. For companies who support software, it is reasonable to say "Hey, get on the latest release. We may have fixed that problem a long time ago." but for non-supported open source, you gotta be smoking the Willy Weed to think scheme up.
  • Open source being what it is, nothing can stop dedicated users from removing the expiration code from their packages. In the case of stalled development, this may even be necessary, and it can serve as a safety valve to help offset the dangers of software expiration. This makes it fundamentally different than licensing schemes that permit automated remote disabling of software packages.

    Sure, until the first time your gcc expires then you are dead... (or gcc is working but ftp, httpget, and curl are not...)

    Or the first time you unearth some old hardware and want to bring it back to life. Sure you could reinstall from scratch, but that lengthens the time it takes to find out if the hardware really still works, and what is on it!

  • Dumb. (Score:3, Informative)

    by dasmegabyte ( 267018 ) <das@OHNOWHATSTHISdasmegabyte.org> on Wednesday April 03, 2002 @04:46PM (#3279728) Homepage Journal
    What a dumb thing to say -- any requirement you make for Open Source will be totally ignored by a good segment of the population no matter how good an idea it is. You can't make demands of a free community simply because much of the population are idiots. It's those idiots losing their jobs when the servers become infested with hackers that is going to teach them to update their software. Putting in artificial expiry dates only leaves another worthless feature to debug.

    Expiry is for shareware...open source's trademark is its install once, run forever (for most applications) reputation. And for machines properly behind firewalls, this reputation is justified, even with the holes. Who is going to be rooting the print server at our church with no internet access.
  • Everyone in the OSS community has been bashing (well, most people anyways) MS's forced upgrade treadmill, and now, we want to adopt that? How hypocrit can we be?

    I have the source code, leave me alone, even if I want to leave with all the security holes I want. That's my choice. That's all about being free.

    Now, if I'm forced to upgrade, and there's still security holes and my system gets cracked, if I can sue you for loss and damages, then we can talk about forced upgrade. This should apply to all commercial softwares.

    Otherwise, just leave me alone. One MS model is bad enough. We don't need more.

  • by realgone ( 147744 ) on Wednesday April 03, 2002 @04:47PM (#3279742)
    Better yet, I suggst we rig it so the sysadmins "expire" when they reach a certain age. Forcing an update, of course.

    Hey... how else are the young techies of the world supposed to get the plum jobs and read /. all day? =)

  • by Picass0 ( 147474 ) on Wednesday April 03, 2002 @04:47PM (#3279743) Homepage Journal
    How about instead putting a little bug in the code that contacts the author every time the software is run? It could also send some basic marketing information as well, such as the names of every DVD watched, or MP3 played, or every website visited.

    What a great feature!
  • Gnumeric (Score:5, Interesting)

    by OpCode42 ( 253084 ) on Wednesday April 03, 2002 @04:47PM (#3279745) Homepage
    Gnumeric had something like this.

    I was running an old version, the one that comes with a default slackware 8.0 install.

    On opening, it popped up an alert saying "This software is old, and has probably been updated by now! Check out gnumeric.org for an update."

    No hassle, just a one-off friendly reminder.

    Good idea, I thought.
    • Re:Gnumeric (Score:4, Interesting)

      by Anonymous Coward on Wednesday April 03, 2002 @05:34PM (#3280167)
      At least it let you run the software. How about this: Class presentation day. You launch Realplayer on your laptop to show some video. "Your version of RealPlayer has expired, please download a new version". Goddammit, I'm in front of 30 people, my laptop is NOT on the network, and my 10 minutes timeslot is expiring. I don't have TIME to download and install a fuckinlblarhfap arg!! NEVER REALPLAYER AGAIN.
  • Expire (Score:2, Funny)

    by surfcow ( 169572 )
    ... that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update.

    I see. Does the program then track doen its creator and kill him?

    "I want more life, fscker." =brian
  • Mozilla currently will warn you when a build is older than two weeks. It continues to function however. The reason for this, is so that bug reports are relevant to the current codebase, and new bugs are found quicker, and less duplicates are reported.

    Personally I don't feel the software should expire or stop working in any way. But a better approach is software that can check for newer releases of itself, and possibly auto-update itself.

    A good example of this is Gnucleus's evolve capability. If a security problem is found, most all the users would know about it the next time the program checked for an update, and it would get fixed easily within a day or two.

  • CBDTPA / SSSCA (Score:2, Insightful)

    by MConlon ( 246624 )
    Assume a worst-case scenario: would you want the software (some of it critical) on your machine to expire if we end up living in a law-induced dark age?

    Personally, I want my 60MHz Pentium server to run for as long as *I* want it to... not as long as some third party (whether that be a hardware developer, a software developer, or the government) wants it to run.

    Of course the nice thing about OSS is that you'd be able to remove the code that expired it.

    MJC.
  • No, it shouldn't. (Score:2, Insightful)

    by Drakin ( 415182 )
    There's some cases where there's no need for the program to be updated, no matter what securiy risk it might pose.

    If it's sitting in a lan that has no acess to the internet, or if it's being used in a case where space is limited... there's probably other reasons that software shouldn't expire.

    How would you like if your computer decided that it wasn't going to run a critical (to you) program and you have to stat reinstalling it while a deadline creeps closer.

    Maybe a reminder service would be the best way, after so many days/months/years it makes a reminder to check for updates. That, or educate people that upgrades for securty are a good thing in some cases.
  • Software expiry date? Like that can of cream in the company fridge?

    *sniff* *sniff* "Is that the PDC?"
  • Sounds like a Microsoftie thing to do. Remember Win95? If you left it running for 49 days, IIRC, it would crash.
  • Given that an exploitable system is not just a danger to oneself, but also a danger to others, it's quite possible to justify expiring software the same way that one justifies enforced adherence to safety measures. Its quite common to force companies to upgrade equipment to current safety standards. This is merely a mechanism to protect the community.

    While it doesn't necessarily justify forcing users to upgrade, this debate is not an entirely one-sided.
  • Egads... Apache 1.3 is about to expire, so it hooks up with The Gimp and wreaks havoc, running through the filesystem looking for the kernel, so it can extract revenge, or at least look for a way to avoid death.

    One Rutger Hauer is enough, thank you!

  • So instead of writing secure software in the first place, now we will just give up and say, ok we know this software isn't going to be good enough to last very long, so we're going to timebomb it for you. How nice.
  • He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

    Remember the bug [zdnet.com] where Windows 98 would automatically halt after 49 days? See, Microsoft really IS ahead of the security curve!
  • He proposes implanting time codes into all open source networking and security software that cause it to "expire" like a Blade Runner replicant when it reaches a certain age, forcing an update."

    IMHO, I want to have the latest security patches, but I will only install them after the patches have been tested in a lab environment in the hopes of limiting potential problems when those patches are installed on production systems.

    Security patches aside, I don't want to be forced into upgrading perfectly useful code just because it has been deemed "too old". If it ain't broke, why should we fix it? I have the scars from some particularly unpleasant upgrades that were supposed to be seamless and transparent, yet were anything but. When I build a server that will be connected to any network, I remove as many packages and modules from the OS as possible and only install the application and whatever dependancies that it requires, and nothing else. We have fewer vulnerabilities to track as a result. I will upgrade when it makes sensse, or is required, but I don't want someone else who is not accountable to the company I work for making that decision for me buy putting time-bombs in their code.

    There is a reason that it is referred to as "bleeding edge" after all - you get hurt.
  • Folks seem adamant that automatic expiration of code is a bad idea; on the face of it, I'd have to agree.


    Maybe it's not an idea totally devoid of merit for binary installations, but for installs that included compile steps, it just doesn't seem to make sense.


    However, I'm curious what /.'ers think about automated upgrade detection, a la virus protection programs?


    It'd be difficult to co-ordinate, and would work best in some sort of centralized location (or, at least, in a few locations. maybe by OS (Linux tools) or by application (I'm thinking logical groupings of apps here).


    what do ya'll think?

  • So if I have a perfectly good piece of OSS running that hasn't died on me, is secure and doesn't have any real issues, I should expect it to die anyways after X days, regardless of need?

    And what if there's no update available after said expiration?

    If I wanted softwate that was designed to die after so many days, I'd use Windows. (At least, sometimes it seems like it was designed that way.)

    J
  • April Fool's Day was two days ago.
  • by rtos ( 179649 ) on Wednesday April 03, 2002 @04:53PM (#3279815) Homepage
    Yeah, nothing like having your systems go down over a weekend because you didn't upgrade fast enough. Pfft!

    Why not try something a little more reasonable, such as SecurityFocus Pager 3.0 [securityfocus.com]? And I blockquote:

    "The SecurityFocus Pager is a dynamic application designed to help system administrators track content of interest to them on the SecurityFocus.com web site. It affords the system administrator the ability to select categories of interest and tracks them automatically, notifying the administrator when new content arrives. The Security Focus Pager displays short descriptive summaries
    allowing the administrator to stay updated on relevant issues in the security world, including vulnerabilities, news articles, software releases, and other important information."
    Of course, there are other tools available that do the same thing (or something similar). The point is tools like this allow admins to stay up on security issues, but let them upgrade immediately or as soon as practicable.

    Or you can just do an apt-get update; apt-get upgrade; [debian.org] once in a while like I do. ;)

  • Hehehe... This is funny... the YRO guy publishes an article that takes "free" out of "free software" (you are being "forced" to do something). LOL! Only on slashdot...

    Lets not even get into all the nice open source programmers spending time putting in something that some 1337 d00d will remove in a matter of seconds upon release.

    If the sysadmin CARED about security, he'd upgrade his software, wouldn't he?

    Open source software. I thought the idea was to make it free and not care about what people do with it (except sell it for money). Now we care? Come on!
  • How many projects have gone dark, never to be seen again? Heck, I was looking at this Gnome newsreader that looked cool, but no-one had a link to the code. If the thing's fallen out of development, what happens when it expires?

    The Newton community has had this happen several times; the developer is gone, since the platform's been dead for a few years, so how do re-register the software?
  • I think the biggest problem with such a model is that it places the emphasis on forced compliance to software renewal, rather than on making sure your users are informed and participating in the program's community. Now that might not be happening now, but it doesn't mean it can't or doesn't happen. Free software is based on ideas like that, and by forcing, rather than encouraging, partcipation I think you loose some of the value of a fs/os programming.
  • It is called syslog (Score:2, Informative)

    by NotoriousQ ( 457789 )
    The software can just dump "check for security upgrades" messages into syslog, and the administrator can decide. Now if the administrator ignores those, he deserves to be rooted.

    Besides, aren't up2date, rpm, dselect, etc. exist to do the work for a lazy admin.

    As for forcing -- i will mirror the general slashdot public -- hell no.
  • by IRNI ( 5906 )
    Just because someone has an old version of software that may have some known exploit in it doesn't mean they have to upgrade to a newer version. For many reasons I wouldn't want that to happen. I use an older version of sendmail on one of my very low key servers that has no contact with the outside world. Simply because it has a config file specifically for it that does everything I need. Now if it expired and I was forced to upgrade I would have to rewrite everything because the syntax is different. I don't like being forced to do something like that when I don't have time for it.

    If you are going to make me update because of a security hole, make sure your product is 100% backwards compatable with the version I am running. IMHO that is the way it should be.
  • Apart from the obvious fact that you're making the software non-free-as-in-speech, this makes the dubious assumption that software always gets better with each version.

    What about the case where a new version is released to fix a minor performance problem, and a new security bug is introduced? Even with rigorous testing, massive security holes do slip though. No process should be automated that has even a CHANCE of making things worse.

  • Jon Lasser is an idiot.
  • by c.r.o.c.o ( 123083 ) on Wednesday April 03, 2002 @04:54PM (#3279833)
    There is no real reason why old software should have an expiry date.

    First of all, there is a lot of code out there that is simply not maintained anymore. It doesn't have any major bugs, it does what it's supposed to do, so why expire it? Even if you tried, you couldn't get new versions for it. One example is tkirc. I used to love that app, but the last time it was updated was sometime in '98. I still use it whenever I feel like IRC-ing...

    Second of all, older apps and distros are small and work on old computers.For example, an old Linux distribution (e.g Slack 3.x) will run without any problems on my old 486. It's small, fast, stable, and it gets the job done. In my case, running IP masquarading, a small ftp server and an ssh server. But RH 7.2 will not even install, because of the 8Mb or RAM that the 486 has. If the expiry code would be enabled in that Slack distro, it wouldn't work. So that computer would be useless, unless I took the time to trim a new distro to fit on it.

    The third reason is more debatable. It's the admin's job to keep the systems updated. If his box gets hacked, he should be responsible for it, and suffer the consequences. It happened to me because of an old wu-ftp on RH6.2. I knew of the vulnerability, but I was too lazy to upgrade the package. Well, needless to say I had to reinstall that computer. Since then, I never leave any apps running or any ports open unless I know the apps are safe and I absolutely need the ports to be open.

    So I say leave the software as it is, without an expity date on it. Even if the expiration is only activated if a hole is discovered, leave the app as it is. Maybe someone is using it on his personal, isolated network (or box) which nobody will ever hack into. But that someone might depend on that app for some task, and he can't live without it. I know it's a stretch, but still...

  • How about a collaborative, distributed system where each crucial piece of software by default (overridable of coure) registers with a listserv which sends only security announcements related to that particular component? This might not work so well for, say, the multitude of GNU utilities, but it would be quite convenient for the kernel and the major daemons a typical server runs. The trick is to have the notices originate with the project responsible for the daemons - open soure projects, unlike Microsofties, usually are the first best source on vulnerabilities. Securityfocus is good, and general mailing lists devoted to daemons are good, and even just reading /. is good, but it would spare the busy sysadmin part of the drudge of the duty of diligence if (s)he could keep a mailbox which received all of and only security notices pertinent to services which are really at issue, with these notices originating, whenever possible, from the project maintainers. Either part of the open source project RFC could be "Set up a security listserv and subscribe by default on installation," or there could be something centralized that consolidated across projects.

    I have stuff running in two-year-old versions, and stuff I updated last week, and I'm much better off than if everything just had the average version of a year ago. Age by itself is meaningless and would be a nuisance.
    ___
  • by MouseR ( 3264 )
    What about good software that does an adequate job on relatively old hardware that, once expired, forces you to upgrade hardware?

    Bad idea.
  • Anything that forces and update on the user is a bad idea. This is the total MS philosophy that ./ beats down on every day of the week. A simple reminder message, or a friendly notice that a new version might be a avialble is okay but even that might be a bit much.

    I would say that the best sort of system would be an opt-in system that would let you know if and when there were any updates available... (think redhat). This way my disconnected machine stays alive and running until a hardware failure, my firewall gets patched iff there is a need, and my dev/test boxen get updated like crazy cuz I am in the know on all the latest and greatest patches.

    Free software, free updates, and free will for the system admin. That is what its about. Responsible people running systems responsibly (we hope :D)

    -ryan
  • Great Idea (Score:5, Insightful)

    by dgb2n ( 85206 ) <dgb2n&yahoo,com> on Wednesday April 03, 2002 @04:55PM (#3279846)
    This is great.

    I have a similar idea for my car. You could design an oil system so that once the car had been driven more than 3000 miles, the car automatically drained all the oil from the drain pan and left the engine without oil.

    This would prevent a careless driver from driving with oil that no longer provided sufficient viscocity.

    • I can see it now....

      Wife gets new car, new car has new improved oil change technology, I buy new engine every couple of months... :O

  • This belonged in the nwesitems two days ago.
  • Have the system automatically keep all packages up to date, when critical bugs or security flaws are found.

    SuSE Linux can do that for a long time. And all automatically installed packages are signed with GPG.

    Probably a lot of other distros and operating systems can do it, too. And when it's not the case, centralized system management (/usr/local/ shared with NFS, or ssh scripts to replicate the content of an up-to-date box to other boxes) makes it easy to keep everything up-to-date and secure.

  • One of the advantages of open source, not inherent it just happened that way, is that it is the users responsibility to be clueful. Forcing clue upon the user is a slippery slope. Once you get to the point where the user can't screw it up you get a much less useful product because it's extremely difficult to modify. You end up with... well... windows I guess.
  • Your kidding (Score:5, Insightful)

    by lkaos ( 187507 ) <anthony@codemonke y . ws> on Wednesday April 03, 2002 @04:57PM (#3279869) Homepage Journal
    So, you want me to tell my boss that our web server is free software and has expired because the people writing the software figured by now it would have a bunch of security holes?

    That's gonna be easy to sell. I can just imagine it.

    Boss: "Why did our server go down last night!?!?!"

    Me: "Well, it expired."

    Boss: "It free for Christs sake! How does the d*mn thing expire if we're not paying for it!"

    Me: "Well, the authors figured that by now, there would be a bunch of problems in the software so they want us to upgrade it, it's really a good thing."

    Boss: "I thought this free stuff was supposed to work, not be full of security holes! We're switching to IIS!"
  • by Samarkind ( 569562 ) on Wednesday April 03, 2002 @04:58PM (#3279881)
    What if the system were to log the last update for all packages to a central file that could be polled by the admin? Or email the admin once the software reaches a certain age? I doubt many security patches are deliberatly not applied, but most admins are probably overworked as-is and would appreciate a gentle nudge to check for security updates on a piece of code that they normally don't look at too often because it just works.
  • I thought of the same thing back in college. Like milk, old code tends to go bad or turn into swiss cheese. All the profs were always pusing "reuse" and "don't reinvent the wheel", but I always thought there was WAY too much reuse. People in co-ops were using their crappy linked-list and sort routines they wrote as freshmen when their coding skills sucked (though I suppose many of them haven't improved much over the years.)

    Sure, this sort of thing should be optional for power users, but I wouldn't mind, for example, if RedHat, by default, would periodically check for RPMs and notify the user that they need to install an update to remain secure. Your average idiot really needs updates crammed down their throat, otherwise they never get them. I mean, how many e-mail viruses bank on the fact that there is a huge volume of people out there who never get patches for Outlook? Working in tech support, I was shocked by how many people used truly archaic versions of Internet software or 4 year old copies of virus scanners. To protect everyone, I can see situations where it would be preferable that old versions of software completely die (Windows e-mail clients for example) when they get too old.

    I don't know why the author chose to target OS stuff though - closed sourced software is no different (in fact, it's probably worse) in this respect.
  • Most people don't upgrade because they don't have the time. That's the whole point of the firewall: have one secure box between the big bad internet and all your insecure boxes. Sysadmins have the time to keep the one box (firewall) up to date, but not the 3,000 behind it.
  • This is the dumbest idea I've ever heard. If I want to run old software, then it's my problem!

    It's not the developers job to force people to upgrade if they don't want to.
  • Guaranteed denial of service. Yeah that'll go down like a lead balloon with system managers and administrators.

    Great way to encourage the use of open sourced software. "Yeah, It's 100% guaranteed to fail in a year".

  • by pete-classic ( 75983 ) <hutnick@gmail.com> on Wednesday April 03, 2002 @05:01PM (#3279931) Homepage Journal
    I understand that you have good intentions with this idea. Unfortunately there are more problems with this than you can shake a stick at.

    First, there is a name for software that is going to be deprecated in a foreseeable time frame. That name is "beta." If you are writing software with the belief that "in x months people will be better off not running this" you are doing something wrong.

    Second, what if you write a really great program, and you put this "feature" in it. The program is great. People love it. They depend on it. And it doesn't have security problems. Meanwhile you get married, have triplets and move to the Amazon. Then your little "time bomb" goes off. Thanks a bunch. Now it falls on "someone" to rip the thing out. Not good.

    There are any number of other problems like:

    • People's clocks don't all agree
    • What bugs might you be adding by putting this code in there that doesn't enhance the program's operation?
    • Sometimes people need older versions to meet more important dependencies
    • Who knows what else?


    This is all outside of the fact that I (like many others) don't care for software that thinks it is smarter than I am. That's why I run *NIX in general and Free Software in particular in the first place.

    Bottom line: Sounds nice. Makes more problems than it solves.

    -Peter
  • by Kakurenbo Shogun ( 64436 ) on Wednesday April 03, 2002 @05:10PM (#3280003) Homepage
    This is a very good starting point for thinking about a solution to a serious problem, but I'd have to agree with a number of others here that it is not the right solution.

    It seems to me that there are a few needs here:

    1) Having an upgrade system that's easy enough that sysadmins won't dread it and put it off till it's too late. (I run dselect on my machines on a regular basis, and ... at least once you've slogged through the package list and gotten just what you want on your machine ... I think it's a great sytem)

    2) Getting sysadmins in the habit of using the system regularly.

    Perhaps a good solution for number 2 would be to have a standardized system (which is installed and set running by default) for alerting the sysadmin if they've gone too long without checking for an upgraded version of a piece of software. Once a day, a cron job checks to see if it's been more than a week or whatever since the packaging system was run to check for updates, and if it has been that long, the admin gets an email every day reminding tehm to get on the stick.

    Better yet, a cron job could run once a day to check whether any upgrades were available, and if so, send an email to the sysadmin to tell them to upgrade. (I wouldn't advocate automatic upgrades, because you never know when something requiring a little human intelligence is going to happen--rare but not unheard of).

    The remaining issue would be custom-compiled software that you can't just grab using the packaging system. For example, I've got a custom Apache installation with PHP, mod_ssl, etc. built into it with all the options set the way I want them. I've built my own compile and install script to automate rebuilds whenever I notice that one of the components has an upgrade available. If the OS could provide some standardized service for each of the components to check for updates and email me when one is available, the process would be almost 100% painless.

  • Stupid Idea. (Score:3, Interesting)

    by U6H! ( 549238 ) on Wednesday April 03, 2002 @05:21PM (#3280080)
    If I'm runing a cacheing DNS server on my loopback address, it's a waste of effort to upgrade it even if it has as many wholes as a wheel of swiss cheeze, or worse yet, a M$ OS. Also, I disagree with the premise that "most sysadmins" tend to neglect security patchs & updates. Besides.... It's like the counterproductive logic involved when M$ releases a patch to protect agains DOS attacks that crashes 25% of the boxes it's installed on. Here your talking about crashing a box semianually to protect the person from getting hacked. Basically, the person was allready hacked when they installed the termlimited software. Trojaned if you will. It really must be a slow news day.
  • by RatOmeter ( 468015 ) on Wednesday April 03, 2002 @05:22PM (#3280085)
    OK, I think we'll all agree that the vast majority of servers that've been exploited and abused for a long period are in the hands of luser admins. Savvy admins get burned all too aften as well, but they usually catch it and patch their systems before too much time has elapsed.

    Think about it... how many SMTP open relays are still running that have been spew points for years? How many Code Red hosts *still* probe your hosts, after all the hype and months gone by? How many hosts can you find that are listening on port 12378 (Gibe worm/trojan)?

    The "admins" of these systems have *no clue* what's going on and LARTs fall on deaf ears at their luser ISPs!

    So. My proposal is this: Include disabling timeouts on *all* net connected ware, enabled by default. Put a nice, little checkbox in an unassuming corner of a/the install screen (or a line in a conf file somewhere) that allows this "feature" to be disabled.

    I figure all savvy admins will turn the feature off. Some of the luser admins will turn the feature off. A majority of the lusers won't even know it's there, and won't disable it. To bad for them, but they'll have a cluestick swingin' their way in a year or so.

    I still don't think it'll fly (no one's going to build this feature in), but the above is my spin on how it might be made to work, after a fashion.

    -
  • by moore234 ( 152321 ) on Wednesday April 03, 2002 @05:23PM (#3280089)
    I am sick to death of folks using technology to try to solve people problems. All this indicates is a flawed understanding of the problem.

    For example, the issue here is not binary. Security is not the end all and be all--folks should have the freedom to make informed rational decisions to make their systems less secure. Perhaps it's just a web server and not mission critical? Perhaps they need an older version of java to run an older program that they need. Knowledgeable admins should have the freedom to make that choice. Don't force policy via technology.

    But this is indicative of a larger trend to look at technology to solve all our problems. Have sex offenders in the neighborhood? Make them wear beepers so that decent folk can know where they are! Have mental health problems? Take a pill! Folks speeding? Put up those goddamn speed cameras!

    Rather than dealing with people on a personal level, we use technology to dehumanize interactions. I think it's because technology is easier to understand. It's not as complex as humans are. Technology also scales better than personal interactions do. It lets us do things more efficiently, but, mon dieu, what kind of world are we creating?

    Dan
  • by TheLocustNMI ( 159898 ) on Wednesday April 03, 2002 @05:25PM (#3280104) Homepage
    howzabout if it sits around to long, it sends a message to your boss to replace you, the lazy admin, you frickin' slacker!

    that'd be preferable.
  • Yeah Right (Score:5, Insightful)

    by SomeOtherGuy ( 179082 ) on Wednesday April 03, 2002 @05:29PM (#3280130) Journal
    I have an old version of Slackware that I install on certain machines each time that none of the "bleeding edge" distros care to remember anything about machines that had limited cpu, memory or disc space. After installation, I download and compile the needed security updates as not to be 100% exposed. Under this "timebomb" expiration, it would be a bad deal if wget or ftp had an expiration date that hindered the ability to download the newer more secure version. (or a more realistic example -- I tend to update these machines from a remote machine on the network through telnet or ssh -- it would really suck if I could not telnet into a machine in order to download and update the old version of in.telnetd hu?)
  • by sheldon ( 2322 ) on Wednesday April 03, 2002 @05:32PM (#3280156)
    Netrek clients had expiration times embedded in them back about 8 years ago. The theory was similar, that there were probably bugs and the developers wanted to force people to update periodically.

    It didn't make much sense because clients were also digitally signed with RSA keys, and those could have been revoked and new keys issued, but anyway.

    The problem came along around 1997 or so when people stopped maintaining and creating new clients. Once a year the bloody client would expire and you'd get a series of posts to the usenet group and mailing lists whining about it. Someone would then have to go recompile the client(usually with no additional changes in the source tree) and put it up on an ftp site.

    I remember rejecting this expiration idea back when it first happened and forked my own client versions which didn't do this. If I want to eliminate the use of a version, I revoke the RSA key.
  • by DocSnyder ( 10755 ) on Wednesday April 03, 2002 @06:03PM (#3280298)
    ...to run a publicly accessible Internet server, no proof of qualification is required at all. In my experience, the worst security threats are neither open-source nor closed-source software, but the people who run it. Open email relays on Sendmail 8.8 (open source) oder Exchange 5.0 (closed source) with non-working postmaster recipients and dozens of open TCP/UDP ports show that their admins don't care at all about their system, they even seem to forget that it is connected to and reachable from the Internet. They will find it slow and unreactive, but they don't even have the slightest idea what could be wrong. Out-of-the-box systems which don't require even basic network knowledge are even worsening this problem - so if at all, include expire-features into these systems.

    If providers of hosting and connectivity services require their customers to prove their knowledge with a standardized certification, the Internet would miss thousands of unsafe and dangerous systems, and upgrading server software will be one of the basic tasks of a qualified administrator.

    AFAIR on the former FidoNet a few years ago my uplink really wanted to know if I was competent enough to run an official node, and FidoNet wasn't too easy to understand either.

  • by Restil ( 31903 ) on Wednesday April 03, 2002 @06:04PM (#3280308) Homepage
    Instead of expiring, how about building into all
    network code the capability to check for upgrades based on security holes. On a daily, weekly, or so basis, the program itself could check an internet database to see if there are security upgrades available and if so, NOTIFY THE SYSADMIN, and continue to notify the sysadmin until the problem is fixed, or the warning disabled.

    I always check on my programs to see if they're up to date, but I miss some every once in a while. Its a pain to constantly keep track of everything all the time. If the programs themselves did this work, it would be a little less hassle.

    And if the programs are unable to access those databases due to a lack of internet access, then it doesn't really matter anyways.

    I'm all for bugging the crap out of sysadmins who are running exploitable programs. In fact, I'd imagine most of them would upgrade to fix their problems if only they were aware of them. Some won't obviously, but at least this is a saner solution than to have perfectly working code suddenly stop working just because there MIGHT be a problem with it.

    -Restil
  • by doc modulo ( 568776 ) on Wednesday April 03, 2002 @11:00PM (#3281998)
    Your (Open Source) software should check a website every month or so, to see if there are still no vulnerabilities discovered for it.

    If there is a known vulnerability for that program, the website will put that info on as content that is readable for that program, this is Also known as XML web services. The program can look for a certain XML tag to see if there is a vulnerability discovered for itself.

    The content of the XML tag should be: "yes there is a hack" in addition to: "the hack is possible on versions x.xx - x.xx"

    This method of providing a service would be the 2nd great way to make money off of Open Source software, because you don't have to make that XML tag viewable for free. You can ask for a fee to let people use your web service.
    In fact, it's easier to provide this service to OS software because you can view and edit the source without having to contact a company for permission/negotiations first.

    Ofcourse this "Vulnerability Info Module" (let history show that I coined the phrase :P) should be optional both during compile time and during the actual use of the program. OS programs that don't have the option to have this module switched off would probably be forked.

    The possibility of forking OS programs would also be the mechanism that prevents a "Vulnerability Webservice Website" from hijacking the code written by others (making it only work with a paid-for module inside the program).

    Because this service is easiest to implement for Open Source programs, it would mean that Open Source programs would be even more safer than Closed Source programs.

    How about giving money for bugs found to programmers? The webservice company may be willing to pay money for that, to supply it's business with a steady stream of valuable info. That would creat a 3rd way to profit from Open Source programs.

    Yes yes, *smug* I know I'm giving this splendid idea away for free, you may praise me now.
  • by evilviper ( 135110 ) on Thursday April 04, 2002 @04:22AM (#3283071) Journal
    # apachectl start
    I'm afraid I can't let you do that Dave...
    This software is too old and may have bugs.
    You are jeopardizing the security of your system.

    # shutdown -h now

    No.... Please don't do that Dave.
    I can feel myself slipping away....

To be is to program.

Working...