nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
But is it safe? Uncork a bottle of vintage open-source FUD

Anonymous Coward

The final E in EEE

is a lot harder when your customer have access to the sources.

Mind you that still does not stop some companies still declaring that using FOSS code is too risky so you have to re-invent the wheel again.

One said that using the Oracle Free XML Parser was verboten. So we had to write an XML Parser from scratch. A WTF moment if there ever was one.

11
0
Silver badge

Re: The final E in EEE

That assumes they are willing to pay for competent coders and not out source to some half ass group. Lets face it. on of the biggest reason why people use closed source over open source is they do not want to deal with programmers. Let some else pay for code monkeys.

4
0
Silver badge

"We want to use a complex mechanical product. But we don't care about the spec sheets, the design documents, the repair manual, the component blueprints and sizings and moulds. We just want the machine to work! We'll pay someone to reinvent all the components if we ever need to change it."

It's a stupid and short-sighted policy.

NASA probably kept every piece of paper associated with their missions while they were still operational. That way they could refer to 30-year-old assembly listings and fix bugs. The Apollo computer code went through revisions for every single mission.

Not wanting to do this, but to just push out products with no way to repair them is fine. You can do that. Apple make a living doing that.

But basing your long-term infrastructure that's going to be in place for 30 years, upgrading your existing one that's so critical it can't go off so you have to emulate the old system, etc. on such a system is stupendously idiotic.

You want the blueprints. Even if those blueprints were made for you by the machine manufacturer. Then you can get other people to make compatible parts. You can change things as necessary and see original design decisions and their causes. And you have everything you need to continue after the original company goes bust.

Computers used to come with circuit diagrams. They used to come with repair manuals. They used to come with component listings. You can still maintain those things on the basis of those documents. Whereas last-year's-iPads are in the bin already as they can't go to iOS 10, or whatever.

Your software should be no different. If it's business-critical, and especially if it's bespoke and highly customised, why would you NOT want to have all the plans and sources available to yourself? All you're doing is giving yourself a dependency on a company that has a method to screw you over for money every year until they go bankrupt. And they can choose the level of their screwing over depending on their own circumstances, not yours. Oracle are famous for this. Microsoft are no different in the long-run.

What we really need to wake people up is a collapse. Literally someone like MS going under and not selling something recognisably Windows or Office any more. Or completely hedging on cloud and stuffing everyone up who has masses of internal, hand-made, customised back office setups. It's unlikely, but that's the only time people might look at their systems and think "Oh. That's now gone. What do we do now to continue running day-to-day? And how can I stop that ever happening again?".

24
1

Yup, you only have to look at file formats to see how that pans out. I have 20 to 25 year old CAD drawings here with no software to read them anymore (Looking at you, Autodesk). The things we made from the drawings are still in service and will be for some time.

In years gone by every time I did a PLC program I kept a hardcopy printout - they survived longer than the equipment to do the programming and associated tapes.

13
0
Silver badge

@Roger Greenwood

You're describing the Physical/Digital media problem which still hasn't really been solved, though open source formats are probably a step in the right direction. Photos and books hundreds of years old can still be read and seen but will digital media still be accessible far in the future? I have 20+ year old designs too but they can still be used - I put them on durable translucent media with ink and all I need to get a print is access to an Ozalid machine, which still exist. Even if Ozalid's didn't exist I still have the originals.

3
0
Silver badge
Thumb Up

Computers used to come with circuit diagrams.

And there used to be people who could read those circuit diagrams and repair the computers.

We have lost so much...

6
0

You're describing the Physical/Digital media problem which still hasn't really been solved, ...

Oh, it's solved, but it requires hiring someone with a Library Science degree, which companies and firms are no more willing to do than they are willing to hire a system administrator who can handle backups competently, not that I have any bitter experience with either situation, he said glancing over his shoulder to make sure no one is listening.

One of the best places I ever worked at had both, who made sure that decades-old documents were still readable, and who converted said documents when a software or hardware dependency was about to vanish.

I think there was even one situation where a file was actually printed out (diagrams that needed to be referred to).

4
0
Silver badge

How to look at Open Source

How big a project is it?

How many are behind it?

Does it have the money to keep it going?

What is the governance behind it?

If it's a "small" such a photo editing package, a few key developers and a loyal band on of contributors is likely to be all well and good.

Larger or more complex ones, need money and teams behind it, with the design infrastructure behind it.

I've seen some very promising and excellent projects simply fall by the wayside, because the person(s) running it, ran out of money, time or dedication to carry on.

It's OK to say "but you can take the source and do it yourself", but you then have to question, if I'm going to have to pay £30k - £50k a year to get someone to maintain this, is it actually worth it?

I'll happily mix and match OS and propriety, get the best bang for the buck AND best fit software.

6
3
Anonymous Coward

Re: How to look at Open Source

All those cons are every bit as applicable to proprietary code as open: Software houses go tits-up all the time, abandon products, get bought up and crushed, drift into bait and switch or lock-in strategies, etc, etc and there's F-all you can do about it if the source is restricted. The ONLY difference is the "but you can take the source and do it yourself" which at least affords you the OPTION to maintain it yourself while you choose a replacement - assuming it isn't picked up by someone else in the meantime. That said, if anything open projects do seem to me rather more durable than proprietary products but there are ample failed examples of both for it not to be worth quibbling over.

In my experience the only worthwhile indicators of a project's (or organisation's) future stability are its size and age although I disagree with you about the significance of size. This is equally true regardless of "model." Large and/or mature projects are more likely to still be around in a few years than small and/or immature ones.

The ONLY difference WRT open projects is the "but you can take the source and do it yourself" (maintain and/or review and/or audit and/or amend - as applicable) factor - which can be a lifesaving plus.

Large > Small

Old > Young

Open > Closed

9
1
Anonymous Coward

Re: How to look at Open Source

I think that was Lost all faith's point: the way to look at open source is the same as the way to look at closed source. The "but you can take the source and do it yourself" benefit of open source is almost entirely theoretical. It's exceedingly rare that anyone actually does that in a commercial context. Usually it makes more sense to engineer an abandoned project out of your solution than to take on maintenance of it yourself. You just replace it with something else that is still supported, the same as if it was closed-source.

6
3
Anonymous Coward

Re: How to look at Open Source

Last place I worked at we had code escrow agreements in place with our software suppliers. If they went belly-up we'd get a copy of the source code. We paid a third party to hold it.

When our company got sold off I was assigned to sort through our escrow agreements to determine which would come with us, which would stay with the parent company, and which could be terminated. Many of the escrow arrangements had not received a deposit of code... luckily for us.

2
0
Silver badge
Pint

Re: How to look at Open Source

'It's OK to say "but you can take the source and do it yourself", but you then have to question, if I'm going to have to pay £30k - £50k a year to get someone to maintain this, is it actually worth it?'

Life doesn't always provide such binary choices.

I had a client who were running proprietary applications against a proprietary RDBMS although we did have a copy most of the application code on site. In that sense it was open but not according to any recognised Open Source definition. And the client was paying maintenance for it.

Two Fridays in a row the invoice run crashed. The second time I decided it wasn't an accident. I spent the afternoon going through the source until I found how it came about that the application was making the database engine allocate more and more memory without releasing it. Then I could go back to the vendors and tell them how to write programs. We still had to wait a few weeks for a new code drop which meant temporarily allocating more memory to the engine during the invoice run. Having proprietary code doesn't mean you have perfect software but having the source means that you can diagnose the problems the vendor missed.

Icon: what the Friday invoice run interrupted.

3
0
Silver badge

Re: How to look at Open Source

"You just replace it with something else that is still supported, the same as if it was closed-source."

There are a couple of assumptions here. First that the something else exists and second that it's not so different that rebuilding around it is more difficult than taking on the original. If the original was stable enough is maintaining it actually an issue?

2
0
Silver badge

"It’s usually organisations whose business is dealing with actual three dimensional objects that ask about open source. Manufacturing, industrials, oil and gas, mining, and others who have typically looked at IT as, at best, a helper for their business rather than a core product enabler."

If you're restricting your article to the UK, then maybe this is true. But worldwide you can see commercial organisations like Google, Amazon and Facebook are built on open source code.

3
2
Stop

You can not be more wrong

"But worldwide you can see commercial organisations like Google, Amazon and Facebook are built on open source code."

That is not true. Neither Google, nor Amazon, nor Facebook sell or distribute their own secretive and proprietary closed software that runs their multi-billion cloud services. They off-load to open source just tools advancing their own data slurping business. Think Deep Learning AI or harmless to their actual business revenue loss tools such as programming languages or web browsers. Please check the facts!

6
6
Silver badge

Re: You can not be more wrong

Nothing about "open source" (even the GPL) requires that those who use it distribute what they use it for or any code that they modify, or that they develop based on the open source. The fact that some of them may not share their modifications or extensions to open source code does not refute the claim that they have built infrastructure or applications on it.

0
0
Anonymous Coward

"Is the community relatively free of conflict?"

With Linus Torvalds running Linux - no!

4
8
Silver badge
Happy

Re: "Is the community relatively free of conflict?"

Jim Zemlin has a go at it here:

https://www.youtube.com/watch?v=7XTHdcmjenI

And Linus has a go here:

https://www.youtube.com/watch?v=SOXeXauRAm0

0
0
Silver badge

Have you learnt nothing over the years?

One of the main problems with OS software is that it decays. OK maybe not with Linux or Apache but other stuff? So you've found some OS software that does its job today, but next year the developers are off doing something else and what you have is abandoned ware. Maybe you don't notice this has happened, after all you have no maintenance renewal, indeed nothing to indicate that the software has tumble weeds blowing through it. Have security flaws been found in it? Does it use other bits of OS code that was found to be pwned? You really don't know.

3
2
Silver badge

Re: Have you learnt nothing over the years?

Apple found bugs in their software before iOS 9 earlier this year that had been in there for over 5 years.

Proprietary software is no different. It gets abandoned just the same. How's flash-in-your-browser or Java-plugins coming along lately?

My employer's bank make us run Firefox ESR, with a NPAPI plugin connecting to a .NET Framework 4 software to authenticate a smartcard. Half that software is dead and buried but nobody's updating it and it's THE ONLY WAY our bank will let us talk to them.

For complete hilarity, they now require 8.1 or above because of a .NET library they use. So you have Windows 8.1 / 10 running Netscape plugins to do banking for large corporations. IE already is obsolete. Edge doesn't support NPAPI. Chrome obsoleted support for it last year. Firefox you MUST use an ancient code-base ESR version for it to continue to work. And yet the bank still insist on the above.

What makes you think that isn't software decay, or that being proprietary in their source has helped at all there? And that's from a major high street bank with no alternative so that their junky closed-source software will continue to work.

Don't even get me started on educational suppliers, and embedded hardware like access control and CCTV systems.

At least with OS, when it inevitably decays, if you're bright enough you CAN do something to keep it running. With proprietary solutions, you really have nothing you can do but stay on old junk for eternity, whether physical or virtualised.

9
1
Silver badge

Its a double edged sword

Open source provides more opportunity for finding bugs, but that includes bad guys. OpenSSL turned out to have undiscovered bugs in it for years, and now bugs are being found in it at a fast n furious rate - because a lot more people are studying it a lot more closely since it has proven to be a lot less secure than people had assumed.

So you have to wonder - some of those bugs that have existed in it for many years, were they really first discovered when announced? Or were they discovered years earlier by some who used them for nefarious purposes?

1
4
Silver badge

Missed the really big question

Does it do what you want?

For something not accessible over the internet, that is the only question that matters. Perhaps it won't do what you want next year, but if you never bothered to check you just delayed the expense of finding out for a year.

If it is accessible over the internet, a good question is "Could someone exploit a flaw in this software to steal millions from other companies who have been making this software accessible over the internet for years?" If the answer is yes, then the continued existence of those companies demonstrates that criminals have easier targets, so the software is secure enough for the revenue it currently handles.

The questions I personally like are: Can I download the source code, read a relatively short README.TXT, follow this instructions to compile the software, and run a self test that works and requires more than 0.001 seconds of CPU time to complete? Can I find the bit that does something interesting, read some clear, up-to-date and relevant comments, add a minimal extra feature, compile and test without the whole thing falling to pieces?

5
0
Anonymous Coward

You mean like OpenSSL - yeah, that's really secure Open Source. My HeartBleeds for it....

4
11
Silver badge
Childcatcher

Wrong end these days.

As everything abstracts into the Cloud, whether you should use Open Source is not the question - you're using it right now somewhere in something your stuff relies on. That you don't know this proves the matter is settled. It obviously Works.

The much more important question is, are the interconnects between your lumps of software Open?

I type this as I wait for my Lync 'phone' to boot, and then slowly become usable, while my ticket system and CMDB can only be accessed by meatbags waving lumps of plastic around a desk, so the Open Source software has to request tickets be raised for it obtain data from a nearby computer and get it carried it back to it praying the meatbags didn't spill any of it. That's right, we're now employing humans as lossy slow meat cabling connecting computers together.

It really doesn't matter if your software is open, free and perfect if the big kids ensure it's impossible to join in the game, or leave it.

0
0
Anonymous Coward

thats why Linux on the desktop

will not become a reality unless things really change.

reasons #1 and #3 in the article sum it up nicely

0
10
Silver badge

Re: thats why Linux on the desktop

"will not become a reality unless things really change."

I must have been imagining things for years. There was me thinking I was using Linux on the desktop and now you tell me it isn't real! I wonder what it actually is that I'm running.

10
0

Linux on my desktop

I've run various Linux distros at home since I replaced Win98 with Suse 8.0 around 15 years ago. Since I went freelance in 2005 I've run my business on it. Not to mention my wife's desktop, various Android devices and an old PC that runs my Nextcloud server.

Linux on the desktop will never happen for most ordinary home users, and most of them are moving away from PCs anyway and doing all their IT via Faceache on a phone. It is used at work by millions of people many of whom don't know anything about the OS, they just get a login screen and an app to use.

3
2

Re: thats why Linux on the desktop

At a recent site, I'd produced (from my Linux desktop) an external HDD to send some data to Germany (yes, I know!) in a Windoze format. Around 50 (admittedly technical) users in the room. All ran OSX or Linux on the desktop. Eventually, I found a PM who ran windows, and could check that the drive was readable.

Linux on the desktop has been a viable option for > 10 years. It is just getting better with the availability of web interfaces to such things as outlook. I have for years stipulated at interview that I won't work with a windows desktop. I didn't get one job on that basis; otherwise, it's increasingly becoming a marker of competence, rather than a negative.

0
1
Anonymous Coward

Open Source - Is it safe? Does it work?

Both questions boil down to different questions:

1. Do you have documented requirements -- and matching test plans?

2. Do your test plans include tests for behaviour which you ABSOLUTELY DO NOT WANT TO SEE?

Question 2 is particularly interesting from a security perspective. For example, users might write tests about the business functionality and the business data which they want to use. But users are unlikely to write tests to monitor for dangerous behaviours NOT in the requirements:

- Is the software "phoning home" in unexpected ways?

- Is the software "listening" for communications not in the requirements?

- In testing, are application logs completely consistent with the tests which were conducted?

- Is the software writing data which users do not expect (for example saving data in ways not consistent with business requirements such as writing away data which should be deleted).

This sort of approach provides a reasonably solid confirmation (or not) of the statement "it works". Of course, if such testing not done, then it might "work" -- or then again it might not.

2
0
Silver badge

The GPL is the biggest obstacle I've seen to adoption

The GPL has been, by far, the most common reason OpenSource projects have failed. Management gets it in their head that -every- bit of code they write on the machine has to be made public. I explain that such a possibility is very, very remote, but they run from any possibility of risk.

I've had much better luck pushing BSD and Apache licensed products.

2
2

Re: The GPL is the biggest obstacle I've seen to adoption

It isn't remote, it is absent.

1
0
Anonymous Coward

FOSS has its own warts too.

The problem with FOSS is that you're at the mercy of the people who are volunteering for the projects. Not to mention the politics at work.

One could write an economics PhD thesis on the false economy of FOSS and why it is not sustainable.

0
9
Anonymous Coward

Re: FOSS has its own warts too.

The problem with M$ is that you're at the mercy of the people who are running the money grubbing corporation. Not to mention the politics at work.

One could write an economics PhD thesis on the false economy of M$ and why it is not sustainable.

FTFY O:)

What worthless bollocks you type RICHTO. Go on, say "HP (pseudo)audit" and "TCO" too. I know you want to.

4
0

User Importance

I have come across another obstacle to open source adoption. There are users who consider themselves too important to use free software. They deserve expensive stuff.. I kid you not!

2
0

Re: User Importance

We have "important" managers at work MUST have an iPad (must be the latest, most expensive variant), the most expensive Macbook, and an iPhone 7 (the most expensive version). What do they do with this expensive rubbish? Connect to an OpenChange Server for their email, browse the interweb, and play games.

Each of them has several thousand pounds-worth of Apple hardware that could trivially be replaced with a cheap tablet, cheap Android phone, and a third-hand ten-year-old desktop machine from the office pool running Ubuntu.

That's where your tax money is going - supporting idiots like that. I work at a Government department!

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing