It appears as if much of the open source infrastructure we depend on is suffering from neglect. That’s the message brought to the SouthEast LinuxFest (SELF) by David Nalley. Listening to his talk, “The Tragedy of Open Source,” it was hard not to think that some of our infrastructure projects are beginning to resemble some disintegrating municipal water and sewer systems, or maybe compare his examples with our crumbling roads and bridges. Nalley is a South Carolina based “recovering sysadmin” who now wears many hats at Apache as well as being an employee at Citrix.
The neglect he mentions has caused more than a few near misses that fell inches short of disaster, with two major incidents happening last year alone.
Take the Heartbleed vulnerability that affected openSSL. Nalley points out that last year when the bug was discovered, there was only one person, earning a mere twenty grand a year, actively maintaining the openSSL project. Also last year, there was only one person maintaining bash when Shellshock was discovered.
Lest you think these are isolated exceptions, they’re not. Take the case of GnuPG. This popular FOSS replacement for PGP has only one maintainer. Does that make you feel secure in the age of Snowden?
At Apache there’s a metric called the Pony Factor, which Nalley watches when evaluating the health of projects. Basically, the factor identifies the smallest number of people writing 50% of a project’s code over a two year period; the bigger the number, the more vibrant the project. However, even some relatively large projects show figures that are downright scary. For instance, at Git one person has written over half the code over the last two years. At Perl: Three people wrote at least half the code over the same two year period.
“There’s a lot of Perl still running,” Nalley points out, “so three people maintaining the code is quite disturbing.”
Indeed it is. In today’s online world, fraught with security issues, I’d hate to be running a website on a Perl based platform knowing that.
The problem, as Nalley sees it, might not be dissimilar to what we see happening with our roads and bridges. New roads and bridges are being built all the time because the public loves new roads and it helps politicians get elected. Not so much with maintaining those roads and bridges after they’re built. Hence, we see tragedies such as the 2007 Minneapolis bridge collapse that took thirteen lives.
“Much of the time we’re focusing on new functionalities,” says Nalley. “We’re not focusing on maintenance.”
He points out that over the last year or so, Google has spent more money developing a set of fonts to be used in its advertising programs than openSSL has spent for the entirety of its project. No slam on Google, of course. This isn’t about how much Google is spending, it’s about how little is being allocated to projects like Git, openSSL and bash by open source software companies who depend on the viability of these projects.
However, maybe we can put that last statement in past tense.
Evidently Heartbleed was something of a wake up call, as this vulnerability prompted Linux Foundation executive director Jim Zemlin to quickly get thirteen tech companies to fund a new project, the Core Infrastructure Initiative (CII), to the tune of $100,000 per company per year. This money is disbursed for such things as paying developers to work full time on OSS projects, conducting reviews and security audits and helping to facilitate travel and meetings among developers. Since the initiative began in April of last year, five additional tech companies have come on board.
It didn’t take long for this project to prove its worth. In September of last year, a mere five months after CII was born, the initiative was able to offer assistance to bash maintainer Chet Ramey after the discovery of Shellshock.
You can watch David Nalley’s presentation at this year’s SELF below. The video portion is mainly slides, so feel free to listen while you do other things.