Heartbleed: Is the open source development model broken?

Moderated by Zack Whittaker | May 12, 2014 -- 07:00 GMT (00:00 PDT)

Summary: After Heartbleed, must open source development change?

Ed Bott

Ed Bott




Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols

Best Argument: Yes


Audience Favored: No (65%)

The moderator has delivered a final verdict.

Opening Statements

All open source software is not created equal

Ed Bott: I love Open Source software. I find it hard to imagine a world without Apache, WordPress, and Firefox, to name three easy examples.

But the world is not a better place because of a horrible security flaw in another Open Source package, the widely used OpenSSL library that existed on web servers for more than a year. The Heartbleed flaw exposed just about everyone who has ever used the Internet to potentially catastrophic losses.

So what happened to the “many eyeballs” that were supposed to inspect that code and find the bugs? Alas, there weren’t enough funds to pay for those eyeballs. Even after the flaw was discovered and donations increased, there’s still not enough money to sustain development properly. And that story, not enough backing and not enough skilled developers, is true for many, many projects.

There’s nothing magical about Open Source, nothing evil about closed source. What matters is that the project be run by an organization that has the resources to write, test, ship, deploy, and maintain code properly. The idea that any Open Source project can be widely used even if it doesn’t have proper backing has to end.

It wasn't a failure of open source

Steven J. Vaughan-Nichols: Seriously? That's the question? Come on!

Make no mistake about it. Heartbleed was open-source's worst hour. But, it wasn't a failure of open source per se. It was a failure to actually practice open-source development methods.

Every developer makes programming blunders. One of the big reasons why open source works is to quote Linus's law, as proclaimed by Eric S. Raymond, in his seminal essay "The Cathedral and the Bazzar" is that "Given enough eyeballs, all bugs are shallow."

The problem with OpenSSL that let the Heartbleed blunder in is that no one really looked at the code. Heck, it seems not even the NSA looked at the code!

In short, the recipe is still fine, but only if the cooks actually follow it! Of course there are reasons why people don't this. One of the biggest seems to have been simply paying people to look for bugs. To fix that problem the Core Infrastructure Initiative, made up of top tech companies including Amazon, IBM, Intel, and VMware, will now be sponsoring important, but underfunded, open-source projects.

With cash in hand, and people sticking to the true open-source method, I don't see a repeat of Heartbleed coming up anytime soon.


Log in or register to join the discussion
  • All models are "broken."

    All models are "broken." Software is written by imperfect humans, and debugged by imperfect humans and tools written by imperfect humans.

    That's just the reality we live in, sorry. Everything is equally "broken" in the sense that we're never going to see the end of bugs.

    Being open source may make it easier for the software to be vetted by random people, but is no guarantee that random people will vet it, or that those people will spot the problem and share it with the community.

    There are also things like the halting problem which say not everything can be solved. Not because we're human, but because the problem is actually mathematically unsolvable.

    Open source is not perfect - but it's probably the least broken model we've got. And the transparency of the code and the ability to share it gives it advantages well beyond debugging.
    Reply 72 Votes I'm Undecided
    • But we carry on as if it isn't broken

      Open source just means you don't have to be a Wikileaks insider to se the code, and that the code is portable out from dying developers (e.g. post-Oracle Open Office).

      Those are two massive wins, but whether anyone actually picks up and fixes bugs is a matter of committed resources (i.e. folks paid for being responsible for doing that). Having a rudder on a boat isn't much good if there's no hand on the tiller.

      Code quality is so poor that we have to leave the door open for repairs on a pushed basis - yet we still develop as if one could actually trust code not to suck, blobbing everything together in one sprawling cloudy mass. We panic when a "12 year old OS" ceases to get patches, even after 12 years of repairs.

      This is akin to ignoring the Halting Problem, or the assertion that perpetual motion machines are impossible. It's really irresponsible to create an increasing dependence on materials known and proven to be unreliable.
      Reply 50 Votes I'm Undecided
    • The difference between OSS and Proprietary is testing. QA if you will.

      Good proprietary companies do code review but they also expose it to a QA group who's job it is to look for bugs.

      Some OSS may have QA but I don't know that is true for all the many libraries out there.

      I agree that flaws happen but mitigating risk involves a multi-tier approach.

      Speaking as one who works for a medical device company.

      Microsoft uses its employees computers for testing in addition to automated tests - every night and for many of them must run the latest build during the day. One test connects 128 usb devices at once. This is my personal favorite style of testing - stress testing. It isn't the most effective but it can be a lot of fun.
      Reply 49 Votes I'm Undecided
      • OSS won the mind-share: 65% : 35%

        Reply 40 Votes I'm Undecided
        • What mind share?

          An odd post.
          Reply 52 Votes I'm Undecided
          • Yet, you left out what is happening........ Now is later.....

            “it's happening right now.”
            Reply 49 Votes I'm Undecided
      • Some OSS may have QA but I don't know that is true for all the many lib...

        You don't know that for proprietary software either.
        Reply 31 Votes I'm Undecided
    • True but, 95% of vulnerabilities already have patches published

      Whitesource just broke this down by the numbers in a study of 6,000 commercial projects. While 33% had vulnerabilities, 95% could have been patched. So updates need to happen regularly and yes to your point the resources need to be dedicated…

      Check out the infogrphic on this : http://bit.ly/forms1zoss
      Reply Vote I'm Undecided
  • Funny. Stephen merely backed up what Ed Bott wrote.

    Stephen's 'defense' of open source seemed to just back up what Ed Bott wrote (and what I have believed for years). Trusting in volunteer, or poorly paid and largely uncoordinated people to vet code that someone else has written is fraught with dangers. No method is infallible but I doubt that all open source code has been vetted thoroughly. Up until recently, it hasn't been as big an issue but then again, up until the past few years, other OSs and software have dominated. I think the rise of Android has thrust Open source much more into the field of view of the 'bad guy' and we can only expect more flaws to be found as the years pass. If no one is paying me (a la open source programmers), why should I dedicate years of my life to maintaining a code? I just don't get it.
    Reply 64 Votes I'm for Yes
  • Open source isn't broken but free as in money is

    The issue isn't with source code being open or closed. The software socialism being these days is to blame for Heartbleed, not open source per se. If a company had to pay for an asset (Open SSL in this case) they would be far more likely to look at what they were actually paying for rather than just blindly using it because everyone else does and because "it's free." Ownership and stewardship go hand in hand, to use a loose analogy it's why renters are generally worse for a neighborhood than owners.

    On the other side, I am a developer and I can't understand what drives so many amazingly talented developers spend so much of their brainpower making other people rich. Maybe it's because they too don't want to own any failures and have any accountability as there's no one to get angry at you when no one paid you. To me this is a very immature way of doing things, developers should build great things, get paid for them when they are successful, and own up to failures when they happen. That's called being a grown up and until people understand that those who give away their work for free are not behaving as such we are doomed to repeat Heartbleed many times over.
    Reply 58 Votes I'm Undecided