Photos - James Sutton - Unsplash
Open source - the foundation of the Internet
According to the Linux Foundation, 72% of Fortune 2000 companies use open source tools to solve their problems. At the same time, 55% use open source in commercial products. Open source software is distributed in data centers - for example, Facebook, Rackspace, NASA and AT&T work with it. A number of cloud providers and IT companies even founded the Open Compute Project . She is developing an open standard server rack architecture (Open Rack) and modular server requirements for cloud data centers (OpenCloud Server).
A significant part of the popular open source products are large-scale projects like Kubernetes, TensorFlow or Ansible. They are developed and financed by large IT companies. But there are also small products (e.g. cURL ) that enthusiasts support. Often they do this on a voluntary basis and in their free time. And here pitfalls lie.
Why is this model criticized
The concept of open source implies that everyone can modify the source and correct errors in them. Collective efforts increase the quality of the code base and reduce the number of bugs. But unfortunately, this model does not always work.
A significant part of the changes to an open source project is made by either a small team or one maintainer. For example, out of 25 thousand commits in the cURL repository , 14 thousand belong to the author - Daniel Stenberg. For a long time, the number of developers of the OpenSSL library did not exceed four people. Most of the commits were made by one of them - Steve Henson. Therefore, in such conditions it is easy to overlook and “skip” the bug.
So, five years ago in OpenSSL discovered one of the largest vulnerabilities in software - Heartbleed . It allows unauthorized reading of memory on a server or client. Then the number of vulnerable websites was estimated at half a million. The patch was released immediately, but as far back as 2017, 200 thousand sites affected by Heartbleed were operating.
Photos - James Sutton - Unsplash
Many open source projects are experiencing funding problems. The same OpenSSL exists due to donations from the community and income from corporate contracts - the amount does not exceed a million dollars a year. Former CEO of the project says that one of the reasons for the appearance of Heartbleed was precisely the lack of funding. It can be difficult for engineers to raise funds even for consultations. According to Daniel Stenberg, international companies often turn to him with requests to help solve the problem in cURL. But every time he asks to pay for his work, the conversation for some reason stops.
“Sometimes developers engage in open-source projects in their free time as a hobby. Therefore, it is not surprising that some applications are abandoned. If no one wants to keep the project afloat, the community formed around it disintegrates.
In the worst case, users of the system may become the target of a hacker attack. An example is last year’s attack on the npm event-stream module. ”
The author of the project, Dominic Tarr, switched to other tasks and left his brainchild unattended. Some user suggested taking over the module support.
Tarr agreed and granted him access to the repository on GitHub and npm. Over time, the new maintainer introduced a script into the utility that stole bitcoin wallet data and uploaded it to its server. The vulnerability affected a large number of users, given that event-stream has 1.9 million downloads per week.
How to fix the situation
According to the US National Bureau of Economic Research, the main motivating factor for open source development is economic benefits. Therefore, open source developers are looking for ways to monetize it. For example, they transfer part of the modules to restrictive or even commercial licenses. MongoDB, Redis, and other companies have taken this path.
We have already spoken about the situation in more detail. The developers believe that even partial commercialization of the code will open an additional source of income and attract new people to the project. But such a model is often hostile by the IT community.
It is believed that the approach contradicts the concept of open source software. However, it is not suitable for everyone. In 2017, the Caddy web server announced a commercial license for HTTP / 2. But for some reason, a month ago, the project was again returned to open source.
Photo - Artem Beliaikin - Unsplash
The global Internet infrastructure depends on open source projects. Therefore, it is important to pay attention to their support. And work in this direction is underway. The Linux Foundation regularly has new residents. Large companies are investing more and more in open source. Perhaps such initiatives will help to avoid repeating a story similar to Heartbleed.
Additional reading on 1cloud.ru blog:
Will the cloud save ultra-budget smartphones
Why Apple Changed Requirements for Application Developers
1cloud Cloud Architecture Evolution
What's New in Linux kernel 5.3 - Graphics Drivers, Virtualization, and Other Updates
Why mainstream browser developers again refused to display the subdomain