Heartbleed: Is the open source development model broken?

Moderated by Zack Whittaker | May 12, 2014 -- 07:00 GMT (00:00 PDT)

Summary: After Heartbleed, must open source development change?

Ed Bott

Ed Bott




Steven J. Vaughan-Nichols

Steven J. Vaughan-Nichols

Best Argument: Yes


Audience Favored: No (65%)

Closing Statements

Time for a change

Ed Bott

My opponent’s faith in Open Source is admirable. But you can’t run the global Internet as a faith-based organization.

The problem that caused the Heartbleed security nightmare is directly attributable to missing management infrastructure, which costs money. You can’t just ask a couple developers and an intern to audit code. You need a formal security review process and an honest-to-God QA department.

In his rebuttal answers, my opponent admits over and over again that the current Open Source development model is broken. That’s why the Core Infrastructure Initiative is being rushed into existence. But will it get enough funding to do an effective job? Unlikely.

He says, “If your company depends on a certain open-source program for its livelihood you darn well better have someone on staff who does know the code.” Seriously? Tens of thousands of companies use OpenSSL, which consists of “hundreds of thousands of lines of very complex code.” Customers can’t be expected to review every line of code they use.

Unfortunately, Heartbleed probably wasn’t an isolated example. As long as Open Source projects are run on inadequate resources with insufficient management, they’ll happen again. It’s past time for a change.

Related Coverage:

Open Source for the win

Steven J. Vaughan-Nichols

Ed and I can argue about the fine details, but at day's end we both agree that if developers use open-source programming methodology correctly you can produce great software.  I also believe that proprietary software methods can produce fine programs as well. I just believe that the odds are better you'll end up with high-quality, secure programs if you follow an open-source roadmap for your project.

Successful pure open-source companies such as Red Hat, SugarCRM, and Alfresco, an enterprise content management provider, use all the same software development managements that proprietary software vendors use. Other companies that you may not think of as open source development houses such as Dell with OpenStack and Facebook with Open Compute use both open source and "corporate" development methods.

In short, when done right, open-source combines both open source's virtues with so-called "proprietary" methodologies. It's only in those corner cases, like OpenSSL with Heartbleed, where a program is both popular and under-funded that there exists the real possibility of a major security problem. Now that Heartbleed has made people aware of this and efforts such as the Core Infrastructure Initiative will help prevent major security holes.
So, as far as I'm concerned, open-source is still the best way to develop secure, safe software.

A close race

Zack Whittaker

I must admit, this one was tricky, but I'm going with Mr. Bott. While Mr. Vaughan-Nichols made some good points, I found many of his responses avoided the particular issue in hand — the practical problems with open-source's development approach.

Mr. Vaughan-Nichols nevertheless made some deep-rooted arguments about the open-source development model, notably comparing and contrasting the so-far "one-off" Heartbleed flaw with one of the buggiest closed-source applications on the market, Internet Explorer. And, yes, his argument that large companies that use open-source software should invest in the community they rely on so much almost won me over.

But what clinched it for me was the core of the subject. Mr. Bott's killer closer put the icing on the debate cake. Yes, flaws exist in major proprietary code and closed-source apps. But while sometimes thousands of contributors may help build a better functioning product, the security implications in a world with insufficient management and resources probably won't prevent another Heartbleed from existing.

It was a close race, make no mistake — and the audience agreed by a large majority with Mr. Vaughan-Nichols. But I think Mr. Bott has to take the win in this case.


Log in or register to join the discussion
  • All models are "broken."

    All models are "broken." Software is written by imperfect humans, and debugged by imperfect humans and tools written by imperfect humans.

    That's just the reality we live in, sorry. Everything is equally "broken" in the sense that we're never going to see the end of bugs.

    Being open source may make it easier for the software to be vetted by random people, but is no guarantee that random people will vet it, or that those people will spot the problem and share it with the community.

    There are also things like the halting problem which say not everything can be solved. Not because we're human, but because the problem is actually mathematically unsolvable.

    Open source is not perfect - but it's probably the least broken model we've got. And the transparency of the code and the ability to share it gives it advantages well beyond debugging.
    Reply 72 Votes I'm Undecided
    • But we carry on as if it isn't broken

      Open source just means you don't have to be a Wikileaks insider to se the code, and that the code is portable out from dying developers (e.g. post-Oracle Open Office).

      Those are two massive wins, but whether anyone actually picks up and fixes bugs is a matter of committed resources (i.e. folks paid for being responsible for doing that). Having a rudder on a boat isn't much good if there's no hand on the tiller.

      Code quality is so poor that we have to leave the door open for repairs on a pushed basis - yet we still develop as if one could actually trust code not to suck, blobbing everything together in one sprawling cloudy mass. We panic when a "12 year old OS" ceases to get patches, even after 12 years of repairs.

      This is akin to ignoring the Halting Problem, or the assertion that perpetual motion machines are impossible. It's really irresponsible to create an increasing dependence on materials known and proven to be unreliable.
      Reply 50 Votes I'm Undecided
    • The difference between OSS and Proprietary is testing. QA if you will.

      Good proprietary companies do code review but they also expose it to a QA group who's job it is to look for bugs.

      Some OSS may have QA but I don't know that is true for all the many libraries out there.

      I agree that flaws happen but mitigating risk involves a multi-tier approach.

      Speaking as one who works for a medical device company.

      Microsoft uses its employees computers for testing in addition to automated tests - every night and for many of them must run the latest build during the day. One test connects 128 usb devices at once. This is my personal favorite style of testing - stress testing. It isn't the most effective but it can be a lot of fun.
      Reply 49 Votes I'm Undecided
      • OSS won the mind-share: 65% : 35%

        Reply 40 Votes I'm Undecided
        • What mind share?

          An odd post.
          Reply 52 Votes I'm Undecided
          • Yet, you left out what is happening........ Now is later.....

            “it's happening right now.”
            Reply 49 Votes I'm Undecided
      • Some OSS may have QA but I don't know that is true for all the many lib...

        You don't know that for proprietary software either.
        Reply 31 Votes I'm Undecided
    • True but, 95% of vulnerabilities already have patches published

      Whitesource just broke this down by the numbers in a study of 6,000 commercial projects. While 33% had vulnerabilities, 95% could have been patched. So updates need to happen regularly and yes to your point the resources need to be dedicated…

      Check out the infogrphic on this : http://bit.ly/forms1zoss
      Reply Vote I'm Undecided
  • Funny. Stephen merely backed up what Ed Bott wrote.

    Stephen's 'defense' of open source seemed to just back up what Ed Bott wrote (and what I have believed for years). Trusting in volunteer, or poorly paid and largely uncoordinated people to vet code that someone else has written is fraught with dangers. No method is infallible but I doubt that all open source code has been vetted thoroughly. Up until recently, it hasn't been as big an issue but then again, up until the past few years, other OSs and software have dominated. I think the rise of Android has thrust Open source much more into the field of view of the 'bad guy' and we can only expect more flaws to be found as the years pass. If no one is paying me (a la open source programmers), why should I dedicate years of my life to maintaining a code? I just don't get it.
    Reply 64 Votes I'm for Yes
  • Open source isn't broken but free as in money is

    The issue isn't with source code being open or closed. The software socialism being these days is to blame for Heartbleed, not open source per se. If a company had to pay for an asset (Open SSL in this case) they would be far more likely to look at what they were actually paying for rather than just blindly using it because everyone else does and because "it's free." Ownership and stewardship go hand in hand, to use a loose analogy it's why renters are generally worse for a neighborhood than owners.

    On the other side, I am a developer and I can't understand what drives so many amazingly talented developers spend so much of their brainpower making other people rich. Maybe it's because they too don't want to own any failures and have any accountability as there's no one to get angry at you when no one paid you. To me this is a very immature way of doing things, developers should build great things, get paid for them when they are successful, and own up to failures when they happen. That's called being a grown up and until people understand that those who give away their work for free are not behaving as such we are doomed to repeat Heartbleed many times over.
    Reply 58 Votes I'm Undecided