Home opinion-and-analysis Open Sauce OpenSSL, Bash bugs show why firms should back FOSS projects

OpenSSL, Bash bugs show why firms should back FOSS projects

This year has been an unusual one for free software in that two popular projects have been hit by vulnerabilities that have had wide ramifications for all classes of software. And that is one good reason why the big proprietary software firms should look to support such projects financially.

The OpenSSL cryptographic software library was the first to suffer, when a vulnerability dubbed as Heartbleed, was discovered. This library is used across the spectrum. According to a website devoted to the bug: "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the internet. SSL/TLS provides communication security and privacy over the internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

OpenSSL has a four-man core team. The same four are also part of the 15-member development team. Many of these developers are also involved in other free software and open source projects. And, lest one forget, they also have to do paid work somewhere to put food on the table.

It is definitely not the place for a man looking for riches. Yet over the years, development has proceeded apace and, without any praise or awards, this small team has provided a library that has near universal usage. (There is now a fork of the project called LibreSSL which was started after the bug was found by Theo de Raadt who is the leader of the OpenBSD project).

The second free software project to suffer was Bash, the Bourne-again shell which was created by the GNU Project set up by Richard Stallman in the 1980s. As the project describes it, "Bash is the GNU Project's shell. Bash is the Bourne Again SHell. Bash is an sh-compatible shell that incorporates useful features from the Korn shell (ksh) and C shell (csh). It is intended to conform to the IEEE POSIX P1003.2/ISO 9945.2 Shell and Tools standard. It offers functional improvements over sh for both programming and interactive use. In addition, most sh scripts can be run by Bash without modification."

When a series of remote vulnerabilities were discovered beginning on September 24, it was left to individual developers to come up with fixes. The lone Bash developer, Chet Ramey, was snowed under. Red Hat's Florian Weimer did yeoman work – while Apple, a company which uses Bash as its default shell, sat by and did little. It was tardy in the extreme with its patches and left the task of creating patches for older versions of its Mac OS X operating system to an individual.

Proprietary software companies love to use code that is available under the BSD family of licences,  because they can take it, make changes, and lock it away for good in the depths of their own operating systems. They benefit no end from this, but rarely offer even a cent in goodwill to those who wrote the code.

Developers who release their code under the GPL family of licences have a safeguard against the kind of usage detailed above, because the GPL licences are a "share and share alike" breed. One can freely use code and modify it for one's own purposes. But if one distributes it, then one has to offer all the changes to anyone who asks for it.

But despite these safeguards, proprietary software companies often do not play fair. And free software and open-source software developers are not the most militant, and let things lie. Unless someone takes up cudgels for them, they just let it go as it is too exhausting to fight these battles.

But the year has shown clearly that there is more manpower needed in projects like OpenSSL and Bash, and others where there is wide usage. For example, the usage of OpenSSH, an implementation of the SSH protocol by the OpenBSD team, is more than 80 per cent. When he came to Melbourne a decade ago, OpenBSD project leader de Raadt was quite frank about the help he had received from big companies: "Hardware donations do not come from vendors who use OpenSSH on parts of their stuff. They come from individuals. The hardware vendors who use OpenSSH on all of their products have given us a total of one laptop since we developed OpenSSH five years ago. And asking them for that laptop took a year. That was IBM."

Developers need hardware to test their software against. They need bandwidth. And they need to be paid because they can then take their time to concentrate and code, instead of having to do a rush job because they have to also attend to their responsibilities at a paid job.

There are any number of big proprietary software companies that benefit from free software – Microsoft, Facebook, Google, Cisco, Twitter, Apple, Yahoo!, and Oracle to name a few. It is high time that these companies started contributing money to a developers' fund from which projects like OpenSSL and Bash can be supported.

All these companies have billions stashed away yet rarely does one see any decent-sized donation to any free or open source software project. And all the while, those very projects are saving the companies plenty.

Both the OpenSSL bug and the Bash bug have shown that it will cost far less to pay for some more coders in these projects simply because it will lessen the chances of remotely exploitable bugs being introduced into software by overworked and underpaid individuals who are trying their best to manage to release software in the face of unimaginable odds. It is a cheap solution to preventing oneself from faciing public embarrassment and problems down the track.

Image courtesy Heartbleed.com


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.