It appears as if much of the open source infrastructure we depend on is suffering from neglect. That’s the message brought to the SouthEast LinuxFest (SELF) by David Nalley. Listening to his talk, “The Tragedy of Open Source,” it was hard not to think that some of our infrastructure projects are beginning to resemble some disintegrating municipal water and sewer systems, or maybe compare his examples with our crumbling roads and bridges. Nalley is a South Carolina based “recovering sysadmin” who now wears many hats at Apache as well as being an employee at Citrix.
The neglect he mentions has caused more than a few near misses that fell inches short of disaster, with two major incidents happening last year alone.
Take the Heartbleed vulnerability that affected openSSL. Nalley points out that last year when the bug was discovered, there was only one person, earning a mere twenty grand a year, actively maintaining the openSSL project. Also last year, there was only one person maintaining bash when Shellshock was discovered.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.