The neglect he mentions has caused more than a few near misses that fell inches short of disaster, with two major incidents happening last year alone.Posted on 06/17/2015 8:36:35 AM PDT by ShadowAce
It appears as if much of the open source infrastructure we depend on is suffering from neglect. That’s the message brought to the SouthEast LinuxFest (SELF) by David Nally. Listening to his talk, “The Tragedy of Open Source,” it was hard not to think that some of our infrastructure projects are beginning to resemble some disintegrating municipal water and sewer systems, or maybe compare his examples with our crumbling roads and bridges. Nally is a South Carolina based “recovering sysadmin” who now wears many hats at Apache as well as being an employee at Citrix.
The neglect he mentions has caused more than a few near misses that fell inches short of disaster, with two major incidents happening last year alone.
Take the Heartbleed vulnerability that affected openSSL. Nalley points out that last year when the bug was discovered, there was only one person, earning a mere twenty grand a year, actively maintaining the openSSL project. Also last year, there was only one person maintaining bash when Shellshock was discovered.
Lest you think these are isolated exceptions, they’re not. Take the case of GnuPG. This popular FOSS replacement for PGP has only one maintainer. Does that make you feel secure in the age of Snowden?
At Apache there’s a metric called the Pony Factor, which Nalley watches when evaluating the health of projects. Basically, the factor identifies the smallest number of people writing 50% of a project’s code over a two year period; the bigger the number, the more vibrant the project. However, even some relatively large projects show figures that are downright scary. For instance, at GIT one person has written over half the code over the last two years. At Perl: Three people wrote at least half the code over the same two year period.
David Nalley at this year’s SouthEast LinuxFest.
Indeed it is. In today’s online world, fraught with security issues, I’d hate to be running a website on a Perl based platform knowing that.
The problem, as Nalley sees it, might not be dissimilar to what we see happening with our roads and bridges. New roads and bridges are being built all the time because the public loves new roads and it helps politicians get elected. Not so much with maintaining those roads and bridges after they’re built. Hence, we see tragedies such as the 2007 Minneapolis bridge collapse that took thirteen lives.
“Much of the time we’re focusing on new functionalities,” says Nalley. “We’re not focusing on maintenance.”
He points out that over the last year or so, Google has spent more money developing a set of fonts to be used in its advertising programs than openSSL has spent for the entirety of its project. No slam on Google, of course. This isn’t about how much Google is spending, it’s about how little is being allocated to projects like GIT, openSSL and bash by open source software companies who depend on the viability of these projects.
However, maybe we can put that last statement in past tense.
Evidently Heartbleed was something of a wake up call, as this vulnerability prompted Linux Foundation executive director Jim Zemlin to quickly get thirteen tech companies to fund a new project, the Core Infrastructure Initiative (CII), to the tune of $100,000 per company per year. This money is disbursed for such things as paying developers to work full time on OSS projects, conducting reviews and security audits and helping to facilitate travel and meetings among developers. Since the initiative began in April of last year, five additional tech companies have come on board.
It didn’t take long for this project to prove its worth. In September of last year, a mere five months after CII was born, the initiative was able to offer assistance to bash maintainer Chet Ramey after the discovery of Shellshock.
This is true of more than just roads and bridges. When I was stationed in Thailand I played tourist in a lot of Buddhist temples. I learned that Buddhists "gain merit" by building a temple, but not by maintaining one. Hence many of the temples were showing their age. Only a few, that were popular tourist attractions, received government money for maintenance.
” IS THE FOSS INFRASTRUCTURE CRUMBLING? “
I don’t know but my alley is, definitely.
Regular audits should be run on many of these 'small' bits of what are essentially critical parts of the infrastructure, but the question arises of "Who's going to pay for that?" It's tempting to say that it should be companies like RedHat that live almost wholly in the FOSS space. The problem with that, is that everyone depends upon things like SSH even if they don't know it. The cryprographic protocols now built into servers of almost all kinds are absolutely critical to commerce to an astounding degree, but we don't really have anyone that is spending the time to look at the internals of them and make sure things like PRNGs, handshakes,fallbacks and such are properly written.
One of the biggest problems is, that in the case of physical infrastructure, government agencies would go this, and doubtless waste countless billions and introduce bureaucracy and multiple layers of cruft into the process. However, even if the government claimed it wanted to take on such a task, they simply can't be trusted with it. We know that the NSA has purposefully and with malice aforethought kept many if not most failures of software they've discovered secret, so they can exploit them at their leisure, regardless of how wide-open such actions leave all of us.
Feral governments, like ours and most others on the planet have fundamental conflicts of interest in taking on such a task.
Perhaps we need something like UL (Underwriters Labratories) for some critical FOSS. One problem is going to be identifying what is, and is not critical. Is the TCP/IP stack critical infrastructure? I'd say so. What about APIs for financial transactions? Maybe, maybe not, depending upon how the API is constructed.
This entire subject does need some light and discussion.
This is what I never understood about the Linux crowd. What part of FREE do they not get? Why should any for-fee company pay to keep a competitor going? Why should the pay to sustain an OS that a base of a software companies users will demand they support (for Free).
I give them a ton of credit for getting these guys to pony anything to them.
Seems like there’s a hot new programming language coming out every quarter now. I can’t keep up with them all, like a dinosaur sinking in a tar pit.
Seems like there’s a hot new programming language coming out every quarter now. I can’t keep up with them all, like a dinosaur sinking in a tar pit.
But rest assured some H1B has 5 years experience in it as soon as it comes out.
Overheard during an interview:
Q: Do you know the programming language Querkle?
H1B: Yeah, Yeah, Yeah.
Q: How long have you worked with Querkle?
H1B: 5 years.
Exactly. Too many people want(ed) to work on the flashy, "sexy" projects, and not enough on the boring, invisible ones.
You've pretty much brought up all the important points on this topic I was going to bring up, so there's not a lot more I can add.
Sorry about that (grin)
The problem with open source projects is that eventually, the owner gets a girlfriend.
“This is what I never understood about the Linux crowd. What part of FREE do they not get? Why should any for-fee company pay to keep a competitor going? Why should the pay to sustain an OS that a base of a software companies users will demand they support (for Free).”
I’m not sure what exactly you’re saying here, but Linux is one example where companies are making money, and paid employees are doing a lot of the coding these days. Red Hat and Ubuntu are probably the two best examples.
Five years ago Red Hat (RHT) was trading around $30 a share, as of today it’s at $78.
The companies profiting from open source are starting to fund some of the less well supported areas these days.
I’ve got a better one. This was in an interview:
Q: How many years of experience do you have with the Windows Server 2012 OS?
H1B: I have an MCSA in 2012 and two MCSEs in 2012.
Q: So you would say that you’re comfortable in the operating environment?
H1B: Yes, of course. I am fully-certified.
This person is hired as a contractor. We have an outage two weeks later where users cannot log into their machines due to domain response issues.
Q: Any idea why they can’t log into the production domain?
H1B: You said you wanted them consolidated, so I migrated all of the accounts to a single domain.
This person was summarily fired on the spot, and I spent the next week unraveling what they’d done with Microsoft helping me through the whole thing. This was a nightmare unlike any I’d ever seen.
I’d come to find out that the H1B crowd is often heavily subsidized to go through the MS bootcamps to just plow through the exams to get certifications without actually learning any of the material. When I’d explained to this person that they’d done something outside of change control and destroyed our infrastructure, his excuse was that he was doing what we asked him to do. No one asked him to do anything of the sort.
Not only that, there are professional test-takers to get certs for a lot of these folks.
When I’d explained to this person that they’d done something outside of change control and destroyed our infrastructure, his excuse was that he was doing what we asked him to do. No one asked him to do anything of the sort.
Very sad.
I suspect there are many such horror stories out there.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.