Free Can Make You Bleed: the Underresourced Open Source 175
jones_supa (887896) writes "After the Heartbleed fiasco, John Walsh brings attention to the lack of proper manpower and funding to run various open source projects. Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced. 'OpenSSL for example is largely staffed by one fulltime developer and a number of part-time volunteer developers. The total labor pool for OpenSSL maybe adds up to two fulltime developers. Think about it, OpenSSL only has two people to write, maintain, test, and review 500,000 lines of business critical code. Half of these developers have other things to do.' Theo de Raadt has also spoken about too much donations coming from the little people instead of companies, and not too long ago even the OpenBSD project almost couldn't pay its power bills. Walsh goes on to ponder security of open source software, the 'many eyes' phenomenon, dedicating people to review code, and quality control."
Lol whut? (Score:5, Insightful)
If your business relies "critically" in its functions on such a piece of software, how would you as a business owner ensure the continuity of the "critical" function?
A. Hire someone to maintain and work on that software.
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL (though better packaged and you get to chat with the smooth sales rep)
What do you do?
Re: (Score:2)
A. Hire someone to maintain and work on that software.
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL
$50K a year can be a bargain compared to development and maintenance in-house. A $50K donation to a project like OpenSSL will underwrite maybe six months work by a full-time developer.
Re: (Score:2)
Don't forget that what is "outsourced" for you is "in-house" for the outsourcer. If you can't beat him on price and assuming similar labor costs, it means you have poor/too much management overhead.
Re: (Score:2)
Not necessarily - it could also mean that your business doesn't do software development. A business already focused specifically on developing the software in question is going to be able to translate that $50k into much greater improvements than the car rental agency that is simply relying on that software as part of their infrastructure.
Re: (Score:2)
The same could be said about a non-profit group that receives a $50k donation towards its activities. If anything, a non-profit group might even be able to leverage that $50k to go a whole lot further than a for-profit software development company simply because there are volunteers who can perhaps be managed better by a paid manager-architect or that such a donation could secure for a long time the hosting services and other aspects of that open source (presumably) project.
The problem with a non-profit gr
Re: (Score:2)
Or even would have no issues with multiple $50k per annum proprietary "support" contracts, but $5k one off for OSS is somehow a proble
Re: (Score:3)
Don't forget that what is "outsourced" for you is "in-house" for the outsourcer. If you can't beat him on price and assuming similar labor costs, it means you have poor/too much management overhead.
Or, the commercial $50K a year solution has the advantage of scale by spreading its cost on multiple customers. If the commercial provider has 1000 customers paying $50K a year, the economy of that is hard to beat by being lean on management overhead.
Re: (Score:2)
Re: (Score:3)
> Or, the commercial $50K a year solution has the advantage of scale by spreading its cost on multiple customers.
Or not. Throwing money at a corporation is no gaurantee that you will get something that's any better than what you can get for free. All you are doing is buying a yourself a delusion. Perhaps your upper management buys into the same insanity. That doesn't make it any less insane.
All that a commercial solution ensures is that you can never really now what kind of crap you're dealing with, you
Re: (Score:2)
Re:Lol whut? (Score:4, Insightful)
And I'll let you in on a little secret: some teams writing proprietary software are also understaffed. The difference is that you won't know that they cut corners until things go bad. On the plus side: you get to blame the vendor instead of being blamed for your reckless choice of FOSS.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
There's also a possibility that the team will be disbanded before (or soon after) the product "ships". Thus some completly different team (or none at all) has the "snag list". (Possibly filtered through several layers of "it's a feature not a bug" levels of "support".)
Re: (Score:2)
B. Whine about someone not giving you their time for free.
C. Buy a commercial solution which costs you 50 k USD a year and has at most same level of support as OpenSSL (though better packaged and you get to chat with the smooth sales rep)
There's also option D: Support which looks good on paper and ticks all the right "boxes". But turns out to be worst than useles in practice. (Typically with the person who has to use the "support" having had little t
Re: (Score:2)
Look from the K.I.S.S. side (Score:4, Interesting)
From a bit different perspective (largely unix-practical) -- when not having enough resources, you are forced to keep stuff simple. That's usually good, isn't it?
Anyway, I always wondered why is OpenSSL such a bloated pile of code. It does one god damn gazillion things tightly packed. Now, TLS implementation itself is pretty simple, Key management tools are pretty simple, PKCS verification tools are pretty simple, mathematics behind that is pretty simple, commandline tools for quickusing the maths are simple, relationship between those entities ("APIs") are well-defined and usually clear. Who stuffed all of it into one project?!
PS. Bonus paranoia&FUD I saw today: http://pastebin.com/gjkivAf3 [pastebin.com]
Slant: look who is writing the article (Score:5, Informative)
SSH programmers make mistakes. The article writer has an agenda and it's quite obvious. There is no reason to assume SSH is of any better quality than OpenSSH. He even shoots his implication in the foot: "are you going to review two year old patches for errors? No, of course not." This is no different in paid software. If it gets missed during any sort of review, the hole remains. See the recent IE 0-day hole (which has only been around for over a decade) for proof that this is true.
Re: (Score:2)
While you have a point, you could also take away from the article that OpenSSL needs money.
Re: (Score:2)
Re: (Score:2)
If they need money and programmers, why are they wasting time and effort implementing OpenSSL extensions people don't actually need? Why are they wasting their time writing their own memory manager? Why are they writing in plain C?
Re: (Score:2, Insightful)
why are they wasting time and effort implementing OpenSSL extensions people don't actually need?
You say that like there was some kind of central management decision to implement heartbeat instead of something else. There wasn't. There was just some guy who sacrificed his personal time to implement a feature that may be useful to some (maybe not to you). What have you done for OpenSSL so far?
Re: (Score:2)
I would guess writing their own memory manager was for "speed", and "security". No one could then hack the encryptors/decryptors by replacing malloc/free functions with their own functions in order to gain access to the data.
Re: (Score:2)
A project with limited resources doesn't have a prayer beating existing, highly optimized memory managers. And by writing their own, they actually ended up being less secure, because many standard memory managers would have prevented Heartbleed.
Re: (Score:2)
"Feature creep" is common in software.
Why are they wasting their time writing their own memory manager?
Possibly one of the platforms has (or had) a buggy memory manager. A better approach to these situations is use a separate library with malloc (or whatever replacements). Which enables the standard functions to be used where the original issue isn't present.
Re: (Score:2)
Since you can see the same thing sort of thing happening with proprietary software it's probably not an "open source" issue.
Re: (Score:3, Interesting)
Re: (Score:2)
There's also the matter that OpenSSL and OpenSSH are different animals. OpenSSH is audited, much as OpenBSD is itself.
Re: (Score:2, Insightful)
Re: (Score:2)
Not anymore [slashdot.org]
Re:Slant: look who is writing the article (Score:4, Interesting)
Despite the slant, I actually came away impressed at the demonstration of efficiency: 2 developers are doing the work of perhaps thousands if the tools weren't open source.
Re: (Score:2)
Re: (Score:2)
Assuming this is a useful metric in the first place. The Mythical Man Month and Other Essays on Software Engineering by Frederick P. Brooks Jr. is still in print, after nearly 40 years. Wonder if it's relevent here
Re:Slant: look who is writing the article (Score:4, Funny)
Re: (Score:2)
With OSS it's fairly easy to find out things like the number of developers. With proprietary software finding this out is likely to be considerably more difficult.
It's very unlikely that much software which has thousands of developers. Possibly thousands of "gatekeepers", "hangers on", etc.
Re: (Score:2)
I meant that there would likely be several hundred independent closed-source implementations. I wasn't implying that SSH would require thousands of developers to implement a single time :)
Re: (Score:2)
Cheap ass gits. (Score:5, Insightful)
If your business is depending *critically* on a piece of free software then don't be such a cheapass git. Hire a developer or allocate some of your budget to fund the project.
Problem solved.
Re: (Score:3)
Re:Cheap ass gits. (Score:4, Informative)
Re: (Score:2)
You've got to wonder what Torvalds was thinking when he used an insult as the name for his project. Right up there with GIMP for marketability.
Re: (Score:2)
You've got to wonder what Torvalds was thinking when he used an insult as the name for his project.
No you don't. Form Torvalds:
"I'm an egotistical bastard, and I name all my projects after myself. First 'Linux', now 'git'."
He knew exactly what git means in English (an unpleasant person).
Re: (Score:3)
Perhaps because he's not a native English speaker? His name is only pronounced Line-us in English, in Swedish (his mother tongue) it's closer to Lee-noose and in Finnish it's Lee-noess. From the man himself: https://www.youtube.com/watch?... [youtube.com]
My guess for Linux is that English is the international trade tongue, and in it the pronunciation is ambiguous between lin-ux and line-ux, with lin-ux being closer to his native pronunciation.
Re: (Score:2)
Because of Minix.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
BS (Score:5, Insightful)
Re: (Score:2)
How many programmers does Microsoft have?
Lots.
Are their products bug free as a result?
No, they charge for the bugs; As I recall, those are the features.
Re: (Score:2)
The best part is that not even two weeks after heartbleed was disclosed, Fire eye announced [fireeye.com] a vulnerability in IE that affects everything from 6 to the latest release 11. In response to the wide range of the vulnerability several agencies declared IE persona non grata till it is fixed. So much for commercial software being more secure.
Re: (Score:2)
IE would be better described as Gratis and Proprietary. AFAIK it's never been sold...
What about recent MSIE security problems? (Score:3)
This article is nothing but pure propaganda.
Free software may not be perfect, but, from a security standpoint, it easily beats microsoft, and most other proprietary software.
Re: (Score:2)
Ignorance is bliss.
http://cve.mitre.org/cgi-bin/c... [mitre.org]
More specifically related to SSL:
http://cve.mitre.org/cgi-bin/c... [mitre.org]
http://cve.mitre.org/cgi-bin/c... [mitre.org]
Money no guarantee (Score:4, Informative)
Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced.
Of course, paying money for closed source software is no guarantee that it's going to be adequately resourced either. Compare the two most recent, high-profile flaws, both very similar, in that they deal with memory allocation issues:
- Heartbleed on SSL has a team of 2, was extant for 2 years, was patched in 6 days, and the patch was available to anyone who used the software
- CVE-2014-1776 on Internet Explorer. Don't know how many people the team, was extant for 13 years, was patched in 6 days, and the patch was originally going to be denied to users who hadn't upgraded recently.
This does not seem to be an issue with closed vs open source development models - both have had major vulnerabilities extand for far too long, and both can turn around fairly rapid patches when needed. Doling out cash to Microsoft is no more effective at securing your applications than using free open source products.
Time for a non-commercial copyleft license ? (Score:3)
The only way corporations are going to carry their fari share of the burden is if they are legally required to. The only way to do that is to make them pay with $, its all they understand.
Libre software is being used by corporations to build gold-plated cages for consumers. Its time to stop playiong their game.
Our glorious leaders are fundamentally wrong on the concept that software tshould be "free to use for any purpose", it should be free to use for the purpose of ensalving us.
Re: (Score:2)
it should not be free to use for the purpose of ensalving us.
Duoh
Re: (Score:2)
Too many problems.
Look at the serious issues that surround CC BY-SA-NC -- you have two sets of "copyleft" material that are completely incompatible, and you have one set that has an extremely ill-defined definition of "commercial". Is advertisement supported commercial? Is use in a business setting for an internal system commercial? Is it just commercial if you're selling something that includes a copy of the work?
Re: (Score:2)
Go for it. People and businesses will drop open source like a hot rock and that will be the end of OSS as a force in the software industry.
Your post highlights a fundamental difference between us, i think a software community is of primary importance, you are talking about a software industry. They are different things.
But yes i know if im the odd man out, and i cant be a community of one.
The problem is not free. The problem is "free" (Score:4, Insightful)
The problem is not that the software is free (as in open). The problem is that people (and companies even more) perceive it as free (as in beer). That that's the main misconception.
Companies want to cut corners by using OSS. They don't do it because it's easier to review, easier to adapt or easier to find someone who can audit it sensibly. They want it because they can grab it and use it without having to pay anyone for it.
And that simply won't fly. Because that entails the "can't someone else do it?" attitude. Yeah, the code should be reviewed. But someone else will do that, we needn't spend money on that. And it should be audited, but can't someone else do it and we save some money?
Funny enough, the fact that anyone can review, audit and fix things is also the reason why nobody does it. It's a bit like that job in your company that anyone could do, and since anyone can do it, everyone relies that someone else will. There's so many who can, at least ONE of them will. Right? RIGHT?
And since the fact that it is "cost neutral" (to avoid saying the ambigious free) is one of the criteria, if not actually THE criterion, why an OSS product is chosen 999 out of 1000 times in a corporation environment, you may rest assured that the same cheapskates that chose OSS because they can pinch a penny will not spend it on auditing it.
Re: (Score:2)
You are ignoring the fact that paid software is no better.
Re: (Score:2)
Paid software is not better. Oddly, though, companies are more willing to invest in "accessories" for paid software than for free software. It seems to be a human thing, or maybe it's a manager thing, I don't really get either, humans or manager. But as soon as money is involved, expectations seem to rise and when managers threw some money at it already, they seem to be more willing to throw some more money at it, too. To audit, to review, to ... whatever.
I don't really know why it is so much harder to get
The problem is both forms of free. (Score:4, Interesting)
One follows from the other. If your Free license says that anybody that works on your product is required to give away their efforts for free-beer free, it should not be surprising that it's difficult to find companies to spend money on something (like paying a developer) that won't give them a competitive advantage. This, incidentally, is why we have taxes; it forces people (and companies) to pay for the common good. We wouldn't have much in the way of public works if they relied solely on charitable donations and user fees.
This is a persistent weakness of Free software, but you'll never get RMS to admit that money to pay for programmers does not magically fall from the sky. People are cheap, and if they can get something for free, it's no shock that few of them will pay for it.
In my mind, an ideal software license would have the following;
1) Mandatory Code Release (This gives you some software Freedom)
2) Payment required to copy and/or use the software.
3) Some sort of revenue sharing scheme so that any contributors to the code receive a portion of the funds collected.
Think of it like a "software co-op license"
(This, incidentally, is how industry standards commonly work in the hardware business. You want to implement the IEEE 1234.567 standard? You pay up a standard fee per implementation, and that's doled out to the contributing companies.)
Re: (Score:2)
For instance...
Free: If you use this library in another free product. For instance, if you make a small program which you give away for free, then you are allowed to use said library for free.
Not Free: If you use this library in combination with systems that essentially make you a ton of money, you are legally required to pay a license for the use of the library in question..
.
FOSS may be a wonderful t
Re: (Score:2)
3) Some sort of revenue sharing scheme so that any contributors to the code receive a portion of the funds collected.
This is where your logic has a flaw so big you could drive a semitrailer through it, standards are set but open source evolves. Let's say version 1 is created and you charge $10/copy. Now a person makes a patch and wants $2 for his work, does he now charge $12? Then this becomes a pyramid scheme of accumulating prices where you want to get it in early, no matter what anyone does with the project later you get $10 practically forever. That guy who contributed a small patch to Linux in 1992 would still collec
Re: (Score:2)
Ever read anything he's written? He is all in favor of people charging for Free software, one way or another. He believes that programmers can live very well doing software internal to enterprises, and in his talks usually points out that most developers do. (It would make no difference if our internal, strategically vital, software were under the GPLv3, because we're never going to distribute it.)
Actually, heartbleed was pretty affirming.. (Score:2)
Timing is pretty convenient. We have a tale of two exploits:
-Heartbleed. Open source project. Huge catastrophic bug, existed as of beginning of 2012. Fix available pretty much immediately upon discovery. As a result, significant resources are pouring in to proactively examine OpenSSL, some fixing and some forking OpenSSL. One way or another, the fix was immediate and concerned parties are empowered to do what they think is needed and the open source world will have risks mitigated as well as closed sou
Stunning Slashdot Insight of the Day (Score:2)
Who woulda' thunk it? You Get What You (Collectively) Pay For. It doesn't matter if "payment" is in the form of money or manpower. If software you use is built by labor effort much smaller (in cost and/or size) than is usually needed for a project of a particular size or complexity, it should come as no shock that the product ends up not being the quality it needs to be.
"Under-resourced" assumes static resources (Score:2)
Oh dear, yet another Harvard BizSch / Big Business canard that FOSS is governed by the contraints of closed software. Resources only matter when they are restricted -- ie only [certain] employees can fix the code.
FOSS does not have this restriction _AT_ALL_ and that is one of it's greatest strengths. Torvald's "With enough eyeballs, all bugs are shallow." Yes, limited resources may mean it takes a while for an offical patch (still quicker than MS) but unofficial patches can and are generated by anyone in
Yeah, OSS magically creates more eyeballs (Score:2)
When you have a widely-used, yet complex, product that nobody has to pay for, doesn't require tech support (unlike, say, an OS), doesn't have any provisions for proprietary (i.e. non-free) features, and isn't really much fun to work on (unlike, say, a compiler), it should come as no shock that it's somewhat difficult to recruit enough eyeballs to look for all those bugs.
Yep, a patch can be issued quickly, but a project with sufficient access to resource ahead of time breaks less to begin with.
Gift vs. Exchange vs. Planned Economies (Score:2)
They overlap and interact in unexpected ways, along with the theft economy and the subsistence economy. OpenSSL is a prime example of these overlaps and the complexities of trying to manage all that socially. Should the planned government economy make the code work via tax-supported staff of a government agency? Should businesses exchange money for more development work and support services specific to their needs? Should more developers just donate their time or individuals donate their funds to make OpenS
Number of Developers/Maintainers? (Score:2)
So how many developers does OpenSSL need for maintaining the code base?
not what happened (Score:2)
Heartbleed was the result of someone adding an optional and useless feature to OpenSSL that should never have been added in the first place. That's not a problem with having insufficient resources, it's a problem with poor management.
If it has anything to do with resources, it's a sign that people on the project have too much free time on their hands, because if there had been anything important to be done, people wouldn't have the time to add this feature.
Every commercial project I've seen is understaffed (Score:4, Insightful)
Understaffed to save money with a huge backlog, insane deadlines, cut corners, and massive scope creep. So what's his point?
A False Conflation (Score:2)
And this differs from commercial software... (Score:2)
The problem is greed ... (Score:3)
The ones now complaining about how risky it is to rely on open-source software are exactly thos thousands of companies who just use open-source and never give anything back, usually not even provide a patch ever. It is not the fault of open-source it is the fault of greedy assholes who just take, never give back and then complain and bash.
closed can be too (Score:2)
Companies routinely underfund development staff, overwork them, and then end of life products in order to shove 2.0 out. I don't know why everyone's making a big deal out of 'heartbleed'. There have been exploitable faults in open and closed software many times before, some of which have been worse.
Re: (Score:2)
Free counters a diversity of unique or bespoke per seat, per user count crpto entrepreneurship over many countries.
No matter if it open source or closed source; as long as it can catch plain text
Re:Honor only limit (Score:5, Insightful)
The problem is that with "many eyes" all the eyes are assuming some other eyes are looking.
Re:Honor only limit (Score:5, Insightful)
....the 'many eyes' phenomenon,....
And nobody reviews the source code. People download, use the library/code or whatever and be on their merry way.
This "you can't get anything bad through because the source is freely available" has proven to be horseshit.
Some people are under the assumption if you release something open source, you will get hundreds of volunteers lining up to work on it. And when they do, they will work on EVERYTHING. Truth is unless your project is "sexy" it's hard to get developers. Look at Linux kernel, a lot of the development is done by paid developers (not a lot sexy about the kernel). Look at where projects spend their focus: Firefox reinventing the UI again, Compiz Wobbly windows, usually any application that can be skinned, has 400 skins for every useful plugin. Meanwhile things like performance, or user documentation gets neglected.
Don't get me wrong, I think there's benefits to Open Soruce development models, I just don't think open sourcing something means hundreds of people are looking at it.
Re: (Score:2)
"user documentation" along with the elusive and mystical "technical documentation" comprise the missing holy grail of all software development whether it be open or closed.
Re:Honor only limit (Score:5, Insightful)
No system is perfect but open source is closer to that ideal than closed source.
Re:It's not underresourced (Score:5, Insightful)
In some cases, fragmentation is bad. In case of critical infrastructure, fragmentation is great!
Having multiple interoperating implementations has been always one of the basic requirements for internet standards, it ensures future growth and leaving out the worst warts, dependency on undocumented behavior etc. But most importantly, if a bug is found in one of the implementations, it cannot take out the complete internet infrastructure because large parts of it are running a different implementation. Even if a bug is found on a protocol level, some implementations may not implement that feature or implement it slightly differently and aren't involved. Fragmentation is essential to the robustness of internet.
Re:It's not underresourced (Score:4, Insightful)
That assumes it's not possible to get software right. For a small enough code base (and 500k lines of code it pretty small), that's simply not true. The most robust solution is a monoculture around a bug-free product.
The problem is that getting there takes a lot of manpower for some pretty boring work, and that takes funding. But the funding required is pretty trivial on the scale of the companies who depend on OpenSLL. This is the kind of product where Google et al should fund hiring every security expert that there is in the world to independently crawl the code, fizz test, all the usual tricks. Then offer a $1 million bug bounty. Same for SSH. It's pathetic that we can't get this basic plumbic right, when it's just a matter of resources, and damn cheap on the scale of the companies to which it matters.
If we has an NSA that actually did it's original, defensive job we'd have this done already at taxpayer expense (and money well spent, for once), but we see that's simply not possible, so it's up to the private sector to step up.
Re: (Score:2)
I actually think it's not really possible to do it fool-proof. You may eventually get right as in mathematically right in some formal system, but then the problem is in quality of your formal system.
10 years ago, people often wouldn't account for timing attacks (though I admit they were proposed ~20 years ago) and things like that. It's still well possible that there are attacks noone concieved of yet and implementations may or may not be vulnerable. Heck, it's possible a specific sequence of instructions
Re: (Score:2)
I think formal proofs aren't that interesting myself, but the attention of enough experts will get the job done. Code eventually does mature if you take it seriously, and I've personally seen large codebases go for years with no known or reported bugs. For something like this I'd add a huge bug bounty just in case though.
Re: (Score:3)
Fragmentation is the cost of the freedom: without the rights that can lead to fragmentation, Software would never be free (neither "libre").
A fragmented community is not a software problem - it's a leadership problem: we must learn to choose better our leaders. Since people rarely agree with other - forking is the best (but not always the cheaper) way to decide who's right.
Re: (Score:2)
..and it quickly gets modded down, since it breaks the echo chamber here.
Seriously people, think about it, giving your services away for free makes no sense. No one else does and, contrary to say, volunteer doctors who help poor people (doctors without borders) free software benefits mostly corporations.
Re: (Score:2)
..and it quickly gets modded down, since it breaks the echo chamber here.
Seriously people, think about it, giving your services away for free makes no sense. No one else does and, contrary to say, volunteer doctors who help poor people (doctors without borders) free software benefits mostly corporations.
The thing is that there is an argument that it is fundamentally unethical to not give away your source code. If you want to argue with that it's not enough to just say "but it's nice to not give away the code". Lot's of unethical things can be said to be nice. That does not make them ethical. Saying that you can't make money if you give away the code does not actually do anything to address the argument that the free software fundamentalists pose, so they're not likely to be swayed by that sort of reasoning
Re: (Score:2)
You are confusing giving access to the code and making such access free. I know of several companies that, for example, put the code in escrow so that if the product ever stops being supported customers can access it and modify it. Notice how this reaches a balanced compromise between your need as a user to see the code and the company to earn an honest buck from providing you software services.
Re: (Score:2)
Seriously people, think about it, giving your services away for free makes no sense.
Since when does open source mean giving away my services? I get paid quite well to write open source software. My service is writing code, not copying code. I'm happy for people to copy the code for free, because copying it doesn't require any effort on my part. Having a body of open source code available expands my potential set of customers quite a lot, because a lot more companies can afford to pay for a single feature to be added to an open source codebase than can afford to pay for something to be
Re: (Score:2)
Open source software makes sense. Free (as in gratis) software makes no sense
The problem is it's very difficult to effectively have the former without the latter. People are very relucant to make significant source code contributions when their is an asymetry in the relationship (you see this even in projects with contributor agreements) and setting up a system to pay every contributor fairly would add massive beuracracy.
Re: (Score:2)
Simply changing the license would achieve this. The point is FSF/OSF fundamentalists aren't even trying.
Programmers need to stop and think about the fact that giving away your labor for free to the benefit of corporations is absurd.
Re: (Score:2)
Don't confuse licensing terms with the availability of the source.
Open source means licensing (Score:2)
Re: (Score:2)
I think the meme here is 'obvious troll is obvious'. Open source doesn't mean that the software is free, it means that copying the software is free. Writing it in the first place, fixing bugs, and adding features are all things that someone has to be paid to do (although sometimes people will do it simply in exchange for being able to use the resulting combined work, effectively doing it for free because it's something they need or want).
The problem in the case of OpenSSL is that everyone needs bug fix
Re: (Score:2)
Re: (Score:2)
> discuss how to fix some legitimate shortcomings
Is that a joke? This article is not about fixing problems, it is only about smearing F/OSS.
The article is entirely one-sided. It is meant to make F/OSS seem insecure, while completely ignoring the fact that proprietary software is just as bad, if not worse.
Re: (Score:2)
Re: (Score:2)
Do you have an actual example of "a comeback on the vendor" throughout the history of software development? (I have read that TurboTax actually took some responsibility for a mistake, but that was voluntary.) I've been more or less following this sort of thing for decades, and I'm not aware of legal liability for software that didn't work (as opposed to hardware with embedded software that didn't work).