Free and safe: the main myths of free software

At the end of December, the Ministry of Communications and Mass Media published its views on the introduction of free software (ACT) in government agencies. The document lists the benefits of free products, the main of which are free and security. But is it really?

Free means free?

There is a widespread belief that free software is also free. In the document of the Ministry of Communications, this particular thesis is used:
')

First, it is cheap and anti-corruption. SPO does not require license payments for each installed copy of the programs.

However, IT experts, including the founder of the open source movement, Richard Stallman, disagree. Stallman himself repeats the phrase in each of his speeches :

Free means free, but not free. And all this is not equal to Open Source. These are three concepts that are not worth mixing.

For examples that confirm this view, no need to go far. Of the recent, Dell has agreed to pay Microsoft license fees (“royalties”) for using Android and Chrome OS on their devices. The corporation from Redmond owns a number of technology patents that are used in open source projects created by Google.

The same Stallman published an article in which he called for supporting the campaign for “releasing Android”, that is, for publishing the source codes of the operating system (and its creator, Google, is not going to do this).



Ultimately, open source software may be free for the end user, but in the case of corporate products and mass installations, things are not so simple. A company can participate in the development of the product it needs and send its fixes to the general repository - or (if, during the process of “finishing” the product, the GNU license went beyond the license), hire their own dedicated development team to support fork. As it is easy to guess, this path has little in common with free of charge.

Free software is more secure

Since, as we just found out, free software, free software, and Open Source are three completely different things, it seems that one of them should be more secure than proprietary products. In fact, it is not.

The document of the Ministry of Communications said that closed products are less safe because they contain undocumented features:

Many proprietary applications from reputable manufacturers contain undocumented features, which is a potential threat.

But after all, many of the open (free, free) applications also contain undocumented functions. Not always developers have time (and not always want) to properly document the possibilities of their project. Moreover, a number of documented functions (for example, Userialize or Bash ) are a potential threat.

A separate question that needs to be answered - what are “undocumented functions”? Does this menu item fit, say, the menu item not described in the documentation? If we are talking about " undeclared capabilities ", then there must be a process for their declaration. If vulnerabilities are implied, then this is a completely different topic.

In fact, in order to increase confidence in the security code, it is enough to follow a simple algorithm:

1. There must be an “extreme” who is responsible for this security (internal or external, for example, a software manufacturer).
2. The person in charge should receive the corresponding task.
3. It must be provided with the necessary means and tools!
4. You need to implement secure development (SDL), configuration and vulnerability management.

In this case, it will be completely unimportant whether work is being conducted with “free”, “free”, “paid” or “proprietary” software. The presence of published source codes in some cases facilitates the process of ensuring security (at the same time, it is still not free of charge), but this fact does not help (and sometimes prevents) to find a responsible person. Moreover, the total openness makes the question useless: “Who wrote this line?”


In the case of the backdoor in RSA, it turned out that the company paid the NSA - that is, the culprit was found. But where did the Heartbleed vulnerability come from in the SSL package - it is still not clear.

On the other hand, free software is easier to adapt to changing conditions. Of course, installing “closed and non-free” Windows on the HMI in the automated process control systems is an obvious mistake, which led to the fact that in many systems the vulnerability CVE-2010-2568 , through which the Stuxnet worm was distributed, has not yet been closed . Using an “open” system would allow you to develop your patch, but for this you need a development team that costs money.

Should the state develop Russian open source

Another excerpt from the document of the Ministry of Communications and Mass Media, in which the thesis that free software meets national interests is heard:

Fourth, the use of open source software takes into account national interests. Despite the fact that the creation of free programs is inseparable from the global developer community, services for their adaptation, implementation, support and development are provided, as a rule, by national firms, which is more beneficial for the state and society.

It turns out that the “transformation” of Open Source (even with a violation of the GPL) - this correctly meets the interests of the country, but creating from scratch its own technology, which for some reason is not an open source software - does not respond to such interests.

There are very few companies like ALT Linux in Russia that do everything right, and by the letter of all licenses and laws of open source software. On the whole, the development of a “free domestic software package” is perhaps a bright task, but clearly not the first priority.

Here I would like to turn to another popular topic - the creation of a "domestic OS".

No operating system needed!

In the matter of import substitution, it is much more logical to pay attention not to creating your own OS and office packages, but to completely different directions. You need to start with something that has an ultimate goal, and it should be possible to calculate the effectiveness of this “something”. The operating system is clearly not “it.”

Desktops

Despite the archaic nature of their desktops, for a long time they will remain a serious “eater” of the IT budget in the corporate sector with an update cycle of 3-5 years. Considering that the state sector and companies associated with it are an essential part of the corporate sector in Russia, the transfer of this niche to Russian products is quite real - all you need is a willful decision.

“Well, that's your Windows!” - the reader will say. Far from it! You need to start doing the desktop with the processor. Moreover, we have it, and not bad. Yes, it's about "Elbrus".

Already in the process of working on your own processor, you will have to solve issues with the creation of operating systems, programming languages ​​and other elements of the ecosystem. In order for software manufacturers to want to write under the conditional “Elbrus”, it is necessary that demand for such products be available, and the MCST can produce sufficient amounts of iron.

The already mentioned state-owned companies and their satellites may form the backbone of the first users. If software vendors (the same ALT Linux, or JetBrains) see the prospects and the user base, they will not refuse to create a version for Elbrus (by the way, we are now porting the PT Application Firewall to this processor) - compatibility with “just Linux” and other platforms will appear.

All to the cloud

The trend to “move” many familiar applications to the cloud is undeniable: there is already Excel, Word, and “1C”. A private “office” cloud would cover the needs of 90% of desktop users in the corporate sector. At the moment, these products are becoming more and more an ordinary substrate under the "Internet" itself. The browser becomes the most important desktop application, and creating it is not at all as difficult as the example of Opera or Yandex Browser shows.

It would seem that everyone moved to Chromium - but there is nothing wrong with that. If we take the existing platform as a basis, add additional functions to it and provide a support cycle, this will create a competitive product. And in parallel it will be possible to do and create your own Chromium, if necessary.

Iron Sky

Of course, other components are also needed to create your own cloud, and the first problem here is the absence of hardware (especially the sad situation with server platforms). There is no need to wait for a quick solution in this area, so at the first stages there is nothing wrong with using existing solutions.

With network hardware, the situation is gradually getting better; in the NAS area , RAIDIX does serious things, you can't disregard T-Platforms . With software, the situation is much better - there is an excellent virtualization platform from Parallels and nginx, as a reliable basis for application servers.

Not everything goes smoothly with the DBMS (even the creators of "Elbrus" from the MCST speak of Oracle), although there are such products as "Linter", Red "Database". At the same time, it is necessary to understand that moving out of MS SQL and Oracle is not easy. This, however, does not mean that you do not need to create your own enterprise-DBMS: at least RDBMS and some number of NoSQL projects (for example, document and graph) would definitely not hurt. Even if we take PostgreSQL, Hadoop, or ElasticSearch as a basis, the main thing is that these products are used and applications are created for them.

Total

Of course, free software is quite possible and necessary to use, adapt and develop. However, the theses on its free, “licensed purity” and security do not stand up to scrutiny. “Free” and “safe” are just fairy tales, and everyone knows where there is free cheese.

The current period could be the golden time for the IT industry in Russia. In the matter of import substitution, it is necessary to rely on "national champions" in their field, working in close cooperation, to force breakthrough or simply necessary projects, to provide business with "long money" and to provide control and transparency - but this is all just in the state.

Author: Sergey Gordeychik, based on personal blog ( 1 , 2 )