back to article I got 257 problems, and they're all open source: Report shines light on Wild West of software

A report on open-source security management and licence compliance may make uncomfortable reading for those who maintain codebases that use the stuff. The document – produced by Black Duck, which sells services to make sure users are on top of their estate and so has a vested interest here – looked at 1,100 commercial …

  1. regbadgerer

    The observations made in the article may well be correct, but Black Duck have a history of making things look worse than they are (e.g. by ignoring dual licencing of a library) and especially given their commercial interest, I for one will take all of this with a pinch of salt.

    1. Anonymous Coward
      Anonymous Coward

      bring on the downvotes

      Well when it comes to production systems I can tell you our uptime with HP-UX on PA-RISC (5 years been working with it with not one kernel panic) is far better than any of our Linux machines on x86_64 which are far better than uptime on Windows on x86_64 (average a few middle of night calls a year and its always Windows boxes). Haven't really ran HP-UX in production on VMs in Itaniums yet but expecting it to be worse than PA-RISC even if hardware is far faster. Intel sucks in general for uptime but Intel on Microsoft really sucks. Open and closed source both have their place. Linux can't touch the commercial UNIXs for stability in my experience though (haven't supported BSDs officially but they seem much better and closer obviously to the original UNIX code stability wise).

    2. Anonymous Coward
      Anonymous Coward

      We have got ours down to only a couple of old legacy systems now. Have migrated off Oracle and replaced almost all of our *nix systems. Life is so much easier now.

      1. TheVogon

        "Have migrated off Oracle and replaced almost all of our *nix systems. Life is so much easier now."

        Yep, MS SQL Server AAG has meant the same for us too.

  2. John G Imrie

    GPL violation

    You can't loose your rights under the GPL just because your up stream provider has lost theirs through non compliance.

    1. Daggerchild Silver badge
      Headmaster

      Re: GPL violation

      Loose the noose moose. Lose the nose hose.

  3. James Anderson

    80 vs. several million closed source licences

    There may be 80 open source licences, but, every closed source software vendor has their own license usually with onerous restrictions, plus many vendors have a different license for each product.

    I am sure the Oracle DB license had a clause obliging you to provide your first born son suitably roasted and basted for Larry's thanksgiving dinner.

    1. Jamie Jones Silver badge

      Re: 80 vs. several million closed source licences

      I am sure the Oracle DB license had a clause obliging you to provide your first born son suitably roasted and basted for Larry's thanksgiving dinner.

      They better bloody have - else I sacrificied young Adam for nothing.

    2. Flocke Kroes Silver badge

      Re: 80 OSI Approved licenses

      When free (as if freedom) software first became trendy lots of commercial vendors purchased OSI approval for their open source licenses. Plenty of those licenses do not protect the user's freedom and have unpleasant consequences for any developer careless enough to think OSI approval means something more than some kind of conditional access to the source code.

      In real life, the important licences are GPL, Mozilla, Apache, BSD/MIT/... and public domain. If a piece of software has a different license, it will probably be easier to find a code base with one of the tried and tested popular licenses rather than finding a lawyer able to understand and explain the consequences of a weird license under every possible legal system in the world.

      1. Orv Silver badge

        Re: 80 OSI Approved licenses

        Public domain is best regarded as a myth. Under modern copyright laws it doesn't appear to be possible to actually sign away all your rights. There are licenses that accomplish basically the same thing, but just declaring something "public domain" doesn't necessarily make it so.

    3. Anonymous Coward
      Anonymous Coward

      "every closed source software vendor has their own license usually with onerous restrictions"

      Frankly, many closed source software licenses are far better than you think - once you paid, you can use their software or libraries as you please, as long as you don't give it out to others is source form, of, if an application, the executables.

      Frankly, all the commercial libraries I used had no onerous restrictions, and came with full source code.

      Oracle is more an exception than the rule, so I understand you use it as the bogeyman.

      1. a_yank_lurker

        Re: "every closed source software vendor has their own license usually with onerous restrictions"

        The difference between closed source and open source is who has the authority to make modifications. With closed source only the vendor can make changes to the code. So you are completely at their mercy if something will get patched or added. With open source, you have the explicit authority to make any change you want for any reason. Whether you do, is your choice.

        From a practical user perspective, there often is very little difference when using either if the code is being used internally. If the code is being used externally then the license restrictions do matter and often the open source licenses are less restrictive by default as you being able to include the code in your code base. With closed licenses, one needs to read the T&Cs to be sure though many cases you can include a compiled binary in your code.

        1. asdf

          Re: "every closed source software vendor has their own license usually with onerous restrictions"

          >With closed source only the vendor can make changes to the code.

          Generally its more expensive but paying the vendor to support the code has many advantages in the real world. Plenty of bad open source and good closed source and vice versa. Horses for courses.

        2. annodomini2
          Thumb Down

          Re: "every closed source software vendor has their own license usually with onerous restrictions"

          "With closed source only the vendor can make changes to the code."

          Depends on the supplier and the license.

  4. ChrisC Silver badge

    Not really sure how much of the blame for this can be laid fairly at the feet of open source though - failing to apply security patches, failing to change default passwords, failing to adhere to the correct licencing requirements and suchlike aren't problems unique to the OSS world, and as the closing comment in the article quite rightly indicates, developers need to know what they're doing.

    1. thames

      The article seems to be mainly buzzword bingo.

      * unpatched Apache Struts.

      * Heartbleed

      * GDPR

      * IOT securtiy

      None of these have anything to do with license terms. They can be related to keeping your systems patched and up to date.

      However, the real issue in that case is whether you are talking about vendor support of software you have bought, or whether you are talking about supporting software you have developed in-house (or via a contractor).

      In the case of vendor support, the license is irrelevant to this issue. The real issue would be the quality of service provided by that vendor. Whether that vendor is Red Hat or Microsoft, the issue is the same.

      In the case of self-support of something you developed yourself (or paid a contractor to develop for you), then you need to handle this aspect yourself.

      In the general case of security patches for open source libraries and components though, if all of that came from the standard repos of a Linux distro then the distro manages all of this for you. They have security teams and their distro comes with an updating system that manages security patches. They can't make you apply those patches though, that is up to you being willing to do so and having the procedures in place which prevent the issues from being ignored.

      This though is really just another variation on the vendor support question, with the license being irrelevant except that you now have a variety of competing vendors all supporting very similar systems to choose from.

  5. ExampleOne

    The bogeyman of the hoarders of personal data, GDPR, also reared its head. Black Duck noted that responsibility for compliance lies not only with auditing one's own code and processes, but also ensuring that any open source in use is also compliant.

    So best to just use closed source software and then any non-compliance issues aren't your problem?

    Or is it actually more a case that even with closed source software you are responsible for ensuring it's compliant, even though you have no access to the code? Given everything I have heard about GDPR I would be shocked if using closed source software absolved an organisation from liability, as that is going to be far too easy to abuse. (All our software is sold to us in binary form by Subsidiary Software Inc, so we can't be liable. Oh, their EULA disclaims all liability so they can't be liable either.)

    This whole question get's even more scary with things like CPU hardware compromises: Who is liable if the Intel Management Engine get's compromised and used to find and exfiltrate protected data?

    1. Cederic Silver badge

      re: best to use closed source

      No, I suspect the intended message here is, "Buy our software that will help you manage open source software"

      I'm a few months out of date on Black Duck though, so wont comment on their capability or suitability.

    2. Anonymous Coward
      Anonymous Coward

      I have seen their webinars -- their products only seem to work with OSS so they want you to use OSS. Anyways, GDPR compliance is no different from other compliance regimes in that the whole chain must comply.

    3. Yet Another Anonymous coward Silver badge

      Yes by running IIS instead of Apache you get a get-out-of-jail free card when you leak all the medical data of your patients.

      PS please note that open source is cancer and all Linux users are communists

      This message brought to you by the Ellison+Balmer 2020 campaign

      1. Anonymous Coward
        Anonymous Coward

        >>Yes by running IIS instead of Apache you get a get-out-of-jail free card when you leak all the medical data of your patients.

        IIS + .Net + SQL has indeed had an order of magnitude fewer vulnerabilities than a Lamp stack over the last decade. Most of the leaks you read about are from OSS systems.

        Netcraft says IIS now has an over 10% larger market share than Apache so if there was any inherent problem with IIS we would know about it by now.

        1. Gorbachov

          That's only true if you cherry-pick the one category where IIS is gaining ground (all sites). When looking only at active sites both IIS and Apache are falling and nginx + "other" is picking up the gains. Probably various cloudy services running on custom code (aws, google).

          1. Anonymous Coward
            Anonymous Coward

            "That's only true if you cherry-pick the one category where IIS is gaining ground (all sites). "

            Which is the primary / first figure reported each month by Netcraft. And was always the figure quoted when Apache was ahead. Strange how its suddenly not good enough now that IIS is market leader!

  6. GrahamRJ

    At least the command line is OK

    I've got 99 problems, but the bash ain't one...

    1. petef

      Re: At least the command line is OK

      As long as you have patched for Shellshock.

  7. Anonymous Coward
    Anonymous Coward

    Developer / company mindset

    I doubt that much is going to change here.

    Because ask yourself this: why do those developers and/or companies chose to use open source to power their setup? The answer is usually to save money. And I doubt that the 'aftermath' such as keeping things up to date or bothering yourself over licenses would add to that, so it's often enough ignored.

  8. Anonymous Coward
    Anonymous Coward

    Last line says it best

    Quote: "Open source, for all its benefits, does not remove the need for developers to know what they are actually using."

    1. Nunyabiznes

      Re: Last line says it best

      True, but I would settle for developers knowing what they are actually *doing*.

      I support way too many applications that were obviously written by the lowest bidder and/or the 2nd string team.

    2. Paul Hovnanian Silver badge

      Re: Last line says it best

      "Open source, for all its benefits, does not remove the need for developers to know what they are actually using."

      And proprietary platforms don't? Take an old PLC platform whose programming and interface components ran on XP with IE6. The bindings between the apps and OS were very tight. Just to make sure that you bast[censored]ds don't try to run it on WINE or anything like that. Now, a license for the current software version costs nearly* as much as tearing out the controllers and putting the ladder logic in a brand new system.

      *Just enough less so that you'll choose the new license instead of scrapping and starting over.

  9. naive

    Yawn... Open-Source FUD is so 90's

    It is 2018 !

  10. Anonymous Coward
    Terminator

    The particular issue around Open Source licensing

    'Remember Apache Struts? This was the framework left unpatched by Experian in spite of an alert issued by the US Department of Homeland Security in March 2017. The subsequent data breach will keep lawyers in work for years to come.'

    Symantic Software License Agreements: "MEDIA WARRANTY .. Symantec warrants that .. the Licensed Software .. will not be defective .. for a period of ninety (90) days .. THE FOREGOING IS YOUR SOLE AND EXCLUSIVE REMEDY FOR SYMANTEC’S BREACH OF THIS WARRANTY."

    Oracle End User License Agreement: "To the extent not prohibited by law, Oracle hereby disclaims all express or implied representations, warranties, guarantees, and conditions of any kind, arising by law or otherwise, with regard to the program."

    Apple inc. Software License Agreements: 'To the maximum extent permitted by applicable law, the Apple Software and Services are provided “as is” and “as available”, with all faults and without Warranty of any kind'

    IBM Limitation of Liability: "IBM’s entire liability for all claims related to this Machine will not exceed the amount of any actual direct damages you incurred up to the amounts paid for the Machine .. IBM will not be liable for special, incidental, exemplary, indirect, or economic consequential damages, loss of data, or lost profits, business, value, revenue, goodwill, or anticipated savings."

    1. EnviableOne

      Re: The particular issue around Open Source licensing

      The same clauses are in the GPL, MIT and Apache licences especially the "As Is" and the "without warranty"

      the issue is, dont use it if you dont know what its doing ...

      I admit to re-using code, but everything in any of my programs, i have read through and worked out the whats and wherfores and can be reasonably sure its not doing something stupid

    2. Uncle Slacky Silver badge

      Re: The particular issue around Open Source licensing

      IANAL but (at least in the UK) EULAs are not legally binding.

      1. Anonymous Coward
        Anonymous Coward

        Re: The particular issue around Open Source licensing

        Case law?

      2. Aqua Marina

        Re: The particular issue around Open Source licensing

        "IANAL but (at least in the UK) EULAs are not legally binding."

        That is an assumption. It has never been tested in court.

        1. thejynxed

          Re: The particular issue around Open Source licensing

          EULAs directly conflict with the codified right of first sale in the EU, which is why that assumption has merit, and as Valve found out, why they had to change certain things on Steam.

  11. deive
    Facepalm

    So if we were to link against proprietary libraries they will be automatically updated and all installations updated without any issues?

    Either I am missing something or this is just calling out open source for FUD.

  12. Anonymous Coward
    Anonymous Coward

    False positive problem with Black Duck

    I wrote a system from scratch in order to comply with DO-178 (i.e. high-level requirements were written from the completed and reviewed system requirements; low-level requirements were written from the completed and reviewed high-level requirements; and source code from the completed and reviewed low-level requirements) so that everything was fully traceable. Even with this level of proof that everything was written from scratch, our lords and masters insisted that we had Black Duck audit our code. They claimed that we had hundreds of license violations from copied open source code. Manglement won't we wasting their money again!

    1. Mike Pellatt

      Re: False positive problem with Black Duck

      So their quality of code analysis and interpretation clearly matches that carried out by SCO before launching their "Linux stole all our code" farce.

      Quelle surprise. No technical capability whatsoever there.....

  13. amanfromMars 1 Silver badge

    In the Beginning and Right Out of Nowhere. Enlightening Paths to Follow and Worship/Blaze and Crave.

    with the researchers highlighting connected hardware providing pathways for hackers to get to unexpected places.

    :-) Have y'all any remote idea what transpires in such hackers unrecognisable and practically invisible in unexpecting places, the genus of Almighty Intellectual Property Spaces.

    Tell me that is not Revolutionary and there will be a Revolting AI to Win Over to Conquer and Vanquish Revolt ..... with NEUKlearer HyperRadioProACTive IT for COSMIC AId Drivers Transporting Future Universal Feeds ...... with Almighty Bountiful Needs/Craves and Desires.

    When Truth is a Weapon Shielded, what Price Full Transparent Secret Disclosure? Designedly Expensive and Cheap at Any and All Prices too would be a real bargain and virtual gift to

    Methinks the Benefits in Knowing of the Future because of COSMIC Secrets Disclosed would be Quite Obvious with Reward Outrageously Encouraging and Excessive.

    And that's an UnCommon Virtual Treasure to Spend Outrageously on Future Flight Paths with Newly Realised Inter Planetary Virtual Connections ..... for Fellow Pioneer Travellers.

    Such Provides Instant New True to Leader Connections to Enjoy, Embrace and Excite to Heavenly Delight Heights.

    You gotta be able to handle everything offered there for the Bitter Sweet Relief and Climactic Release of Ecstasy Reward and Awards, are a Devils' Work to Never Ever Better.

    Where's your US CyberSpace Person, just when they would be handy, Mr President, Donald J Trump?

    :-) Does Twitter do Rule?

  14. Anonymous Coward
    Anonymous Coward

    Regardless of the veracity of the article and who it is citing, if you write code, copy code, borrow code, and mash it together to make something you issue to the public, you are the end party who is responsible for making sure that what you hand out for cash and under contract is quality - here I chuckle, chortle and choke back giggles until I am blue in the face - there appears to be no such thing as perfect, air tight and totally safe code in existence, and the situation is exacerbated by the fact that there appears to be no such thing as a desire to try and make sure what most companies chose to run their businesses and/or products on. That costs money.....sheesh.

    1. amanfromMars 1 Silver badge

      Quantum Communication Mumbo Jumbo here Exercising Control of Command Engaging Reciprocity

      Perfect Enough would be a Perfect Enough Reality for All Streaming Systems with Live Operational Virtual Environment CoNNeXXions.

      Which be a Universal Space Command and Control/Commend and Extol Special Future Measures Area when Heavens Delights are Proven with Raw Desires Tendered to be Immaculately Sated when Future Satisfaction Transactions are Guaranteed .....

      Here's a good place as any to start AIFuture Journeys, as we keep looping back and forth into El Reg to check on breaking news projects, and for the exchanging of commenting visions with both competition and opposition vying for a lead with an Almighty Distraction, is it a Splendid Leader in the AI Fields where Quantum Communication Quality Counts.

      And yes, I do suppose some may ponder on the Stranger from Other Worlds and Consider the Oddness to be Revealing ....thus a Valuable Source to Corner and Commandeer/Secure and Server, methinks. :-)

      1. amanfromMars 1 Silver badge

        Re: Quantum Communication Mumbo Jumbo here Exercising Control of Command Engaging Reciprocity

        And don't even start to think and call Snake Oil on any of that AIdDevelopment lest you want to be identified as can also be able bodied serial loser ...... Immaculate Scapegoat ..... Sacrificial Trojan for Rapid Rabid Success in Futures Secured with Remote Augmented Virtual Reality ProgramMING Programs. The Key Core Virtualised Raw Source Drivers for NEUKlearer HyperRadioProACTive Presentation of Projects already Running Key Core Virtualised Raw Source Drivers for NEUKlearer HyperRadioProACTive Presentation .... until Time is Up and all Spaces are Crowded.

        Or do you really not know what is going on all around you, and around everyone else everywhere else too?

        That would leave one speechless in amazement when true, and when not, amazed at so little text revealing the Bigger Picture and the Ways of its Phorming with Phished Stock from Prime Assets.

        Have a nice weekend, y'all.

  15. Claptrap314 Silver badge

    Slow news day?

    This looks like a copy of some Black Duck marketing material.

  16. Doctor Syntax Silver badge

    Citation needed

    "The bogeyman of the hoarders of personal data, GDPR, also reared its head. Black Duck noted that responsibility for compliance lies not only with auditing one's own code and processes, but also ensuring that any open source in use is also compliant."

    In what way does GDPR say anything about code? It's all about data, specifically personal data, and what you do with it. It makes no difference whatsoever as to the technical details of how it's processed; even your salesman's little black address book is subject to it.

    I'm building raised beds in the garden. I could do with some of their top-quality BS as a soil improver.

  17. Anonymous Coward
    Anonymous Coward

    It's hardly surprising

    There has always been business sectors whereby they sell something, then wind the company up when they have earn't enough money, so that they don't have to honour warranties. Think double glazing, solar panel installers etc.

    Software industry does the same only upfront, license says not our problem, only this way they don't have to wind up and restart as a different company rather than deal with historic liabilities. I personally think this is a better method.

    Anything financial has a short term outlook. Once you have the money in your pocket, you spend it whether you use Open Source or Closed Source. No one likes to receive money only to have it taken back 5 years down the road because of a liability, that's what an insurance company is for.

    ...the sub title to this news story was good, but I can't get the song out of my head now!

  18. Claverhouse Silver badge
    Linux

    So people who don't like Open Source shouldn't use Open Source.

    Nobody held a gun to their heads.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like