Wednesday, April 16, 2014

What GnuTLS and OpenSSL Teach Us?

Recently there are lot of news about security issues in the Open Source software. GnuTLS was the first to come in light followed by OpenSSL (so called "Heartbleed" bug). Some people are completely unaware while some others (corporate slaves) use this to attack the free software movement itself, saying open source is insecure.

First, being  an open source project won't make the code superior or free of bugs automatically. Only with repeated review and testing along with highly skilled programmers, quality software can be written. So, who is going to review? Who is going to code? Most of the free software are developed by comparatively good developers and frequently reviewed by maintainers and communities. Most of them have an active base of beta testers too. So the free software are, most of the times, superior in quality compared to proprietary software.

BUT, there are many projects where the maintainers accidentally overlook a programming error, which may or may not be intentional. In such cases, there is a chance for the bug to get in to the released version. It will stay there for longer time after this phase as mostly the review will happen for new code. So, unless a biting issue shows up or someone by chance catch the bug during reviews, the bug will stay.

This is what happened with GnuTLS and OpenSSL. But there is a solution for this problem. As we discussed earlier, college students and hobby programmers can be encouraged to review, test and write code for free software projects. That will surely improve a lot. The next is, the corporates who use the free software should show some social responsibility by providing software engineers to test, review and bug fix the products they are using. OpenSSL bug was uncovered by Google's review thankfully. I know, there are smaller companies who can't do that. They can contribute by donating whatever amount of money or time or resource they have for the projects they rely upon.

Quality and safety won't come for free. Especially, in a community, it is everyone's responsibilities. But what people expect is much like, "I am a user and they are the developers". That mindset is the worst problem here. Everyone should think we are part of the free software community and whatever we create or use should benefit all of us.

By the by, for those corporate slaves, Free Software developers are resisting government pressure to create backdoors for the security agencies. But corporates gladly open doors for some money. With closed source tools, who knows how many such bugs exists? Don't think that as the source is closed, nobody can exploit it. Malicious hackers will use disassembler to do the job for them. So unavailability of source and rigid licensing will only delay or prevent identifying and fixing the issues while won't impact those who exploit the issue.

When there is a bug in the free software or open source software, it becomes news because they are rare. But millions of proprietary software bugs are exploited day in and day out without much noise because they are usual thing and even serious issues are covered up by corporate lobbies.

If you still feel that free software are inferior in quality, then it is time to do something to change it instead of sitting and complaining.

Talk is cheap. Show me the code. -Linus Torvalds

2 comments:

David S said...

now it is proved that open source code is superior http://www.ciol.com/ciol/features/213112/coverity-scan-report-source-software-quality-outpaces-proprietary-code

RK said...

David S,

Good article and your work towards free software movement is well appreciated.

Good Job, keep it going..