Heartbleed and Open Source Misconceptions
The infamous Heartbleed bug found in the OpenSSL library shook the software industry. He also revealed some misconceptions about the world of open source software.
Linus's law states that with a sufficient number of users and a sufficient number of developers checking the code, errors in the open code will be found and gradually corrected, resulting in a more correct and secure code in comparison with the proprietary software.
The book "Facts and Fallacies of Professional Programming" refers to this as the eighth fallacy . The book cites a study claiming that the frequency with which new bugs are found does not increase linearly with the number of inspectors. I believe that the fact that people do not do well with finding bugs in software should be obvious to any developer. While obvious bugs such as syntax problems or the use of antipatterns can be easily caught in the code verification phase, many other bugs can be revealed only when using the program.
Therefore, users become part of the task. Of course, if the bugs were missed during the code verification stage, they will be found during the actual use of the final program, right? Again, this turns out to be wrong. As is the case with code verification, only obvious errors are easily found. A problem that manifests itself only under very specific conditions or in conditions that are not obvious to the end user may remain undetected for long periods of time. The more complex the program is, and the more it performs tasks for the user, the more difficult it is for the user to verify its correctness. Since programs usually perform tasks that require a lot more time for a person, it can be very difficult to repeat the process manually to ensure correctness.
')
Heartbleed illustrates this rule: OpenSSL is used by millions of companies around the world, many of which have individual software engineers working full time, serving millions of users. Yet this hole remained undetected for almost two years and could have remained unknown if the security team had not begun to act.
The comment I saw on Hacker News a couple of days ago summarizes well:
Thus, the advantages of open source, relatively closed, regarding accuracy and security, are minimal, if any. The power of open source software is in the ability to close the bug with one's own hand, although in this case most people (and developers) expected an official patch, because fixing data protection software, and especially the OpenSSL level, a project known for its code complexity, is beyond the limits of most programmers.
As Heartbleed has shown, even critical software projects used by a large part of the Internet do not always have the resources for professional support. The OpenSSL team receives only $ 2,000 annually through donations . Many articles related to the vulnerability of Heartbleed were written in an accusatory tone, and so far no one has suggested that these people work voluntarily in their free time, fulfilling what can only be considered ungrateful public work.
The developer who allowed this bug to appear is not even a professional programmer - he is only a graduate student. The professional is the one who lives at the expense of their activities. Although he is able to help the development of a very specialized OpenSSL level library, one cannot expect a person from science to do the same code standard as professionals from many years in the industry — people of the level we expected to see in quality maintainers of key data protection tools.
This is one of the strengths and weaknesses of open source software, which is that anyone can contribute, despite his background or professionalism. Many open source projects were created by amateurs, which is beauty and, at the same time, a risk that users should remember.
While some important projects are sponsored by companies, which makes it possible to have professionals working in full employment among the participants, most open source software projects barely make ends meet by receiving donations. I believe that providing the open source world with the same resources as commercial programs may be the best way to create viable projects of higher quality, which will be useful for everyone.
For projects that do not receive assistance from companies (and private companies are not controlled by ordinary users), models of alternative existence such as Open-Core (as lives, for example, MySQL), as well as services and supervision are available (for example, Red Hat). In most cases, relying solely on donations may not be enough .
I hope someone will start the further development of OpenSSL, because the project is important for the web of the Internet. If not, I hope the maintainers will seriously think about alternative business models that will allow them to support the project all the time, if that's what they want. I'm not sure about that.
Many users feel they are obliged, even though they get something for free. OpenSSL maintainers have been bombarded with a lot of complaints and accusations , although the developers have been doing important voluntary work for years. They provided a free library that allowed individuals and companies to encrypt their transmitted messages and protect data. Programmers worked in their free time and without much recognition of their efforts.
Some went so far as to even suggest that Heartbleed was intentionally added . If you're just not a conspiracy theorist, the assumption that people who perform such free labor would introduce this bug intentionally sounds ridiculous.
The truth is that the software will always have errors. This is something that any developer knows from his experience from the first day of work. No matter how many tests have been done, or how strictly the development process is going on, some bugs will always appear. You can reduce their number with additional resources, but you can never get rid of them completely. Could Heartbleed be caught in the development process if all its maintainers were working on a full-time project and had more time for a more rigorous testing and verification process? Perhaps, but we will never know.
This is what open source users should keep in mind. Bugs will exist in all programs, including Open Source, and open source developers usually have far fewer resources to find them.
Therefore, instead of resenting and throwing accusations, be grateful for the free (in cost and use) tools that are available to you. If possible, return due to the maintainers to show your appreciation and help support their efforts. If you are seriously dependent on the use of solutions based on open source software, motivate their developers to work on them full time, even if it costs you a lot of money.
1) Linus law
“With enough eyes, bugs come to the surface,” - Eric Raymond.
Linus's law states that with a sufficient number of users and a sufficient number of developers checking the code, errors in the open code will be found and gradually corrected, resulting in a more correct and secure code in comparison with the proprietary software.
The book "Facts and Fallacies of Professional Programming" refers to this as the eighth fallacy . The book cites a study claiming that the frequency with which new bugs are found does not increase linearly with the number of inspectors. I believe that the fact that people do not do well with finding bugs in software should be obvious to any developer. While obvious bugs such as syntax problems or the use of antipatterns can be easily caught in the code verification phase, many other bugs can be revealed only when using the program.
Therefore, users become part of the task. Of course, if the bugs were missed during the code verification stage, they will be found during the actual use of the final program, right? Again, this turns out to be wrong. As is the case with code verification, only obvious errors are easily found. A problem that manifests itself only under very specific conditions or in conditions that are not obvious to the end user may remain undetected for long periods of time. The more complex the program is, and the more it performs tasks for the user, the more difficult it is for the user to verify its correctness. Since programs usually perform tasks that require a lot more time for a person, it can be very difficult to repeat the process manually to ensure correctness.
')
Heartbleed illustrates this rule: OpenSSL is used by millions of companies around the world, many of which have individual software engineers working full time, serving millions of users. Yet this hole remained undetected for almost two years and could have remained unknown if the security team had not begun to act.
The comment I saw on Hacker News a couple of days ago summarizes well:
The false statement about the "set of eyes" applies not only to official checks. It also carries the idea that the degree of openness of the project is not particularly important with regard to the privileges of reading the code: it is not very important whether the project is open or closed, mostly it will be checked by the maintainers and their colleagues. In fact, in most cases in the world of Open Source, the circle of people who actually understand concrete commits is only slightly larger than it could be with closed code. Bugs only slightly “float to the surface”, if it happens at all. The fact that in the case of Heartbleed code was checked only by one person, despite the openness, only confirms this.
Thus, the advantages of open source, relatively closed, regarding accuracy and security, are minimal, if any. The power of open source software is in the ability to close the bug with one's own hand, although in this case most people (and developers) expected an official patch, because fixing data protection software, and especially the OpenSSL level, a project known for its code complexity, is beyond the limits of most programmers.
2) Most open source software is not developed or professionally maintained.
As Heartbleed has shown, even critical software projects used by a large part of the Internet do not always have the resources for professional support. The OpenSSL team receives only $ 2,000 annually through donations . Many articles related to the vulnerability of Heartbleed were written in an accusatory tone, and so far no one has suggested that these people work voluntarily in their free time, fulfilling what can only be considered ungrateful public work.
The developer who allowed this bug to appear is not even a professional programmer - he is only a graduate student. The professional is the one who lives at the expense of their activities. Although he is able to help the development of a very specialized OpenSSL level library, one cannot expect a person from science to do the same code standard as professionals from many years in the industry — people of the level we expected to see in quality maintainers of key data protection tools.
This is one of the strengths and weaknesses of open source software, which is that anyone can contribute, despite his background or professionalism. Many open source projects were created by amateurs, which is beauty and, at the same time, a risk that users should remember.
While some important projects are sponsored by companies, which makes it possible to have professionals working in full employment among the participants, most open source software projects barely make ends meet by receiving donations. I believe that providing the open source world with the same resources as commercial programs may be the best way to create viable projects of higher quality, which will be useful for everyone.
For projects that do not receive assistance from companies (and private companies are not controlled by ordinary users), models of alternative existence such as Open-Core (as lives, for example, MySQL), as well as services and supervision are available (for example, Red Hat). In most cases, relying solely on donations may not be enough .
I hope someone will start the further development of OpenSSL, because the project is important for the web of the Internet. If not, I hope the maintainers will seriously think about alternative business models that will allow them to support the project all the time, if that's what they want. I'm not sure about that.
3) Every project has bugs. The open source world has fewer resources to find them.
Many users feel they are obliged, even though they get something for free. OpenSSL maintainers have been bombarded with a lot of complaints and accusations , although the developers have been doing important voluntary work for years. They provided a free library that allowed individuals and companies to encrypt their transmitted messages and protect data. Programmers worked in their free time and without much recognition of their efforts.
Some went so far as to even suggest that Heartbleed was intentionally added . If you're just not a conspiracy theorist, the assumption that people who perform such free labor would introduce this bug intentionally sounds ridiculous.
The truth is that the software will always have errors. This is something that any developer knows from his experience from the first day of work. No matter how many tests have been done, or how strictly the development process is going on, some bugs will always appear. You can reduce their number with additional resources, but you can never get rid of them completely. Could Heartbleed be caught in the development process if all its maintainers were working on a full-time project and had more time for a more rigorous testing and verification process? Perhaps, but we will never know.
This is what open source users should keep in mind. Bugs will exist in all programs, including Open Source, and open source developers usually have far fewer resources to find them.
Therefore, instead of resenting and throwing accusations, be grateful for the free (in cost and use) tools that are available to you. If possible, return due to the maintainers to show your appreciation and help support their efforts. If you are seriously dependent on the use of solutions based on open source software, motivate their developers to work on them full time, even if it costs you a lot of money.
Source: https://habr.com/ru/post/219163/
All Articles