Sign In

Communications of the ACM


Quality Software Costs Money - Heartbleed Was Free

Quality Software Costs Money, illustration

Credit: Sopi MC

back to top 

The world runs on free and open source software, FOSS for short, and to some degree it has predictably infiltrated just about any software-based product anywhere in the world.

What's not to like about FOSS? Ready-to-run source code, ready to download, no license payments—just take it and run. There may be some fine print in the license to comply with, but nothing too onerous or burdensome.


Gunnar Wolf

I think there is an important point you overlooked in this interesting article And no, there is no way I can imply you don't know the topic well enough. But for bits of infrastructure so heavily and broadly used as OpenSSL is, there are many people employed by other companies looking at the code. Those can far exceed the "20 hours a year" you mention. Of course, they will prbbably be looking to make enhancements, and few will do the hard work to watch with a magnifying glass every other commit, trying to spot wrong interactions as the one which led to this important bug.

OpenSSL does carry the additional burden of relying on so much legacy code. The comments made by the OpenBSD team when they started the LibReSSL project are quite telling tons of #ifdefs targetting long-dead architectures, a very spaghetti-esque way of coding... Make auditing the code a very hard feat.

However, I do see the response to Heartbleed as a proof the FOSS development model works very good. Of course, a bad bug slipped by as it happens in every kind of project. But the way the FOSS community (from its different "angles") replied was most responsible, quick, and led to an important questioning and reworking on several ways for different projects, towards an overall bettering of code quality.

Poul-Henning Kamp

"But for bits of infrastructure so heavily and broadly used as OpenSSL is, there are many people employed by other companies looking at the code"

Are there ?

Personally I doubt it, given that the universal reaction from anybody I have ever talked with who looked at the OpenSSL source code has been to find something else to do, post haste.

But assuming you are right: are they only looking at the code, likely shaking their head in disbelief, or do they have the (significant!) time, inclination and skill to improve it too ?

And if they do, have they got commit-privilege to the OpenSSL version control system, or will their patches, when submitted to the OpenSSL project, be accepted or will they languish in the bug-tracker, along with pretty much everything else sent to the OpenSSL project over the years ?

I agree with you that "the FOSS development model works very good", but the FOSS *maintenance* model doesn't work at all.

Displaying all 2 comments

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.