Communications of the ACM
Quality Software Costs Money - Heartbleed Was Free
Credit: Sopi MC
The world runs on free and open source software, FOSS for short, and to some degree it has predictably infiltrated just about any software-based product anywhere in the world.
What's not to like about FOSS? Ready-to-run source code, ready to download, no license payments—just take it and run. There may be some fine print in the license to comply with, but nothing too onerous or burdensome.
Comments
Gunnar Wolf
I think there is an important point you overlooked in this interesting article And no, there is no way I can imply you don't know the topic well enough. But for bits of infrastructure so heavily and broadly used as OpenSSL is, there are many people employed by other companies looking at the code. Those can far exceed the "20 hours a year" you mention. Of course, they will prbbably be looking to make enhancements, and few will do the hard work to watch with a magnifying glass every other commit, trying to spot wrong interactions as the one which led to this important bug.
OpenSSL does carry the additional burden of relying on so much legacy code. The comments made by the OpenBSD team when they started the LibReSSL project are quite telling tons of #ifdefs targetting long-dead architectures, a very spaghetti-esque way of coding... Make auditing the code a very hard feat.
However, I do see the response to Heartbleed as a proof the FOSS development model works very good. Of course, a bad bug slipped by as it happens in every kind of project. But the way the FOSS community (from its different "angles") replied was most responsible, quick, and led to an important questioning and reworking on several ways for different projects, towards an overall bettering of code quality.
Poul-Henning Kamp
"But for bits of infrastructure so heavily and broadly used as OpenSSL is, there are many people employed by other companies looking at the code"
Are there ?
Personally I doubt it, given that the universal reaction from anybody I have ever talked with who looked at the OpenSSL source code has been to find something else to do, post haste.
But assuming you are right: are they only looking at the code, likely shaking their head in disbelief, or do they have the (significant!) time, inclination and skill to improve it too ?
And if they do, have they got commit-privilege to the OpenSSL version control system, or will their patches, when submitted to the OpenSSL project, be accepted or will they languish in the bug-tracker, along with pretty much everything else sent to the OpenSSL project over the years ?
I agree with you that "the FOSS development model works very good", but the FOSS *maintenance* model doesn't work at all.
Displaying all 2 comments