Heartbleed is a bit over one month old now. A bug significant enough to have its own Wikipedia page. Today, we’re going to look into how wrong we have been in assuming that Open Source software is more secure than commercial software, because of our thinking that source code is open and that many developers are looking into it.
Free as in Beer
One of the core principles of Open Source software is, well, that it is open and that this openness is free in one way or another. This allows us developers to browse source code of third-party software and libraries for various reasons:
- To learn from it
- To copy it (under the terms of the respective license)
- To modify it (under the terms of the respective license)
- To verify it
Proprietary software often does not have the above attributes in exchange for warranties. When you read through the millions of lines of unintelligible legal Microsoft text, for instance, you will see that Microsoft gives a couple of guarantees, also with respect to security and how security flaws are remedied.
The warranty that is legally shouted at you by OpenSSL is this one:
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
In fact, you don’t have any warranties. Specifically, there is no liability for direct or indirect loss of data, as has happened because of Heartbleed.
Obviuous, right? Because it’s free as in beer, any consequences resulting from the Heartbleed bug are entirely your own fault, if you’re using OpenSSL, or any other open source software that includes OpenSSL under similar terms.
Yes. You should have known that you were vulnerable, because you actually could verify it. Did you? Of course not. Did we? No way we’re delving through all that C code. Did our “suppliers”? We don’t even know. We’re using WinSCP extensively, and check this out, WinSCP was affected by Heartbleed! The developers over at WinSCP have been nice enough to fix this issue quickly and release a new version. They didn’t have to do this. You know what? Let’s hit that donate button, right now to thank them.
“They” should pay
OK, but again, wasn’t Heartbleed supposed to never even happen? Isn’t this Open Source? Doesn’t anyone (read: “they”. Because, I don’t have time) review such code, especially if it’s that widely used? Isn’t Open Source security much better than closed source security, which is essentially security through obscurity?
Eberhard Wolff, a well-known German freelance consultant and trainer recently replied this to me:
Yes, I’m sorry, Eberhard. But that’s just the case. Security is often neglected in many pieces of software, both commercial and open source. It’s not that the openness helps anyone discover things, security issues are very hard to discover per se. Also in commercial software. Remember GOTO fail? GOTO fail also affected SSL, but only in Apple software.
The issue lies elsewhere, though. Because Microsoft somehow manages to patch all security issues in virtually no time. They fix things so fast that users get frustrated about the sheer frequency of fixes ;-)
But Microsoft has a lot to lose. Pretty much 90% of desktop OS market share, that’s what they’ve got to lose. They’re paying a high amount of insurance money, invested in security teams that are penetration testing their own software to look for leaks. Yes. The vendor themselves are doing this. And yes, it costs money. And yes, you’ve already paid that when you bought Windows (or Office for that matter).
Money that OpenSSL never had. Read this frustrated section in the following public letter by Steve Marquess:
Thanks to that publicity there has been an outpouring of grassroots support from the OpenSSL user community, roughly two hundred donations this past week along with many messages of support and encouragement. Most were for $5 or $10 and, judging from the E-mail addresses and names, were from all around the world. I haven’t finished entering all of them to get an exact total, but all those donations together come to about US$9,000. Even if those donations continue to arrive at the same rate indefinitely (they won’t), and even though every penny of those funds goes directly to OpenSSL team members, it is nowhere near enough to properly sustain the manpower levels needed to support such a complex and critical software product. While OpenSSL does “belong to the people” it is neither realistic nor appropriate to expect that a few hundred, or even a few thousand, individuals provide all the financial support. The ones who should be contributing real resources are the commercial companies and governments who use OpenSSL extensively and take it for granted.
I can feel with Steve. US$9,000 to improve OpenSSL, a software that has added so much value to all of our servers and clients. That’s hardly enough for even 2-3 bug fixes, depending on whose salaries you’re paying.
But Steve tells off the “commercial companies” and “governments” to not have paid enough. But who are these “commercial companies”?
Meanwhile, at Data Geekery
We know similar stories, of course. When we have transitioned from completely Open Source to dual-licensed, we heard a lot of complaints by users that we have never heard of up to that moment. Users who have never donated or contributed code, bug reports, manual improvements or anything. This is OK. We were giving jOOQ away for free under the terms of the ASL 2.0 as part of a extended market analysis. We didn’t expect donations.
Of course, we have also disappointed one or two people who were hoping that jOOQ would remain “free as in freedom”, who have contributed, who have participated, and who now felt deceived. And we’re genuinely sorry about that. But participation doesn’t pay for our bills, money does. So we reached out for money (luckily, we always owned the code as we paid contributors of larger contributions, and had them all sign a CLA, so we could actually do this step, from a legal perspective).
But let’s again focus on the people looking for free beer. No contributions. No feedback. Free rides. And then, when asked for money, they’re pissed (even 8 months later!).
Fair enough. Our price has risen for that particular user. From free to something. They, too, have a right to be frustrated about this change, which they might not have expected. But they, too, have taken “free” for granted without proper reason. Without verifying.
We don’t believe that “THEY” should pay for our licenses. We don’t think that “THEY” should pay for enterprise support. There is no “THEY” in free software, there’s only all of us, because who decides which project is really important enough to deserve some funding from “THEM” and which one isn’t? All attempts of “fairly” distributing money will inevitably lead to corruption, misuse, abuse, and eventually, to a lack of innovation. We’ve known that from other industries.
So, let’s simply establish two facts:
- Free software is lying around in the streets. It is publicly acclaimed to be AS IS software. If we’re using it, it is our own risk. And if it goes wrong, it is our own fault. No one else’s. Not the big companies’ (who are already investing tons of money in Open Source software), and not the governments’ (same thing there). Stop pretending that FOSS is in any way better or less of a legal risk than commercial software. That’s just not true.
- In fact, there is no such thing as free software. “Free” is a price we’re paying as a down payment (or non-payment). The costs will or might arise later. If we’re lucky, the thing will remain “free”. But if we’re professionals, then we’ll insure ourselves against any risk arising from free “AS IS” software. This means that we’ll give back (= “pay”) in another way. Through donations, through bug fixes, through verification.
Bruno Borges from Oracle has expressed his very interesting views and counter measures to the current state and meaning of Open Source software in this blog post.
23 thoughts on “Free as in Beer has caused Heartbleed (and Much More)”
I wonder what would have happened to Hibernate if it weren’t backed by Jboss/RedHat. The complexity of any ORM implementation would have certainly become too much for maintaining it, after work. Usually the ones that complain the most are those who never contributed to anything. The best antidote would be to have them start their own project while still finding a way to pay the bills. Kind of tricky! Even writing a blog is time consuming, so why not monetizing the expertise. There is no such thing as a “free meal”, and even if it were, are we so hungry “to eat anything”?
Great question! I’ve been asking myself the same thing. In the .NET universe, there is a very popular ORM (and LINQ provider) called LLBLGen. Given that .NET (Microsoft) is less of an Open Source environment than Java, people have never been unhappy with having to pay for something as excellent as an ORM.
I’m planning to do an interview with Gavin King some time soon (if he has time). I’ll certainly be asking him this question: “Why not just create a new company?”
In 2005 I was doing my dissertation thesis for a telemedicine project using .NET 1.0. After persuading my manager to use an ORM I opted for NHibernate. It was a beta version, but the concept was solid and the support was great. Being it a mirror of the java version you can image how easy was to get answers from the Java side. Even the beta version was great to use it, so there is a great .NET ORM. It’s name is NHibernate and it rocks!
I am looking forward for that interview with Gavin. I think he must have sold the project to JBoss which was not a bad move after all.
You can make good money by just offering professional JPA training, one thing I am planning to do myself, now that FlexyPool is kinda stable.
So, to recap, you started an open source project, accepted contributions, then started charging for it? And all you can say is “sorry” ?
Thanks for stopping by. We have paid for major contributions and have signed CLAs for all the contributions that we kept, and we removed the other ones from the version that we maintain most importantly: the jOOQ Console and the Gradle plugin, which are not part of jOOQ right now, but are still available under the terms of the original ASL 2.0 license in Maven Central. There is no code in our codebase that we don’t own. We were really sorry to see those two particular contributors go. We would have loved to keep them (e.g. on some reasonable payroll), but they had their principles, which we fully respect.
Note, we actually didn’t have substantial contributions. Pretty much 99% of all code was written by ourselves.
I am a bit surprised (and disappointed) by your reaction, though… We do take our business seriously, and we have spent a lot of time walking through this transition with lawyers before actually doing that move. We take copyright very seriously, and if we happen to have made a concrete mistake, we’re more than happy to rectify that. I’m sure you have considered these options before leaving your comment, though…?
BTW, if I’m not mistaken, though jOOQ is no longer free as in beer, jOOQ is still free as in speech, right?
The jOOQ Open Source Edition is still Free as in Beer. I’m not sure if I get the free as in speech thing :-)
I suppose I was a bit fuzzy on it too when I asked that. I was just thinking of the freedom to look at and modify the source, but in looking it up, at least as GNU defines it, it includes the freedom to redistribute, which is hard to reconcile with not making it free as in beer.
The jOOQ Open Source Edition is no different from any other ASL 2.0 licensed Open Source software. It just happens not to work “well” with Oracle, SQL Server, DB2, …
The jOOQ Express, Professional, and Enterprise Editions are “opened source”, but not Open Source. I.e. we ship the source for documentation purposes, but not for redistribution, which is expressly prohibited in the license text. We have sold licenses where such redistribution was allowed for an extra fee, though (under certain restrictions).
Does that answer your question?
Sorry, I meant to link the GNU definition: https://www.gnu.org/philosophy/free-sw.html
Also, there seems to be a movement to use the words “libre” and “gratis” for free-as-in-speech and free-as-in-beer respectively, to avoid the ambiguity of the English word without contantly having to use those phrases. I hope it catches on.
I hope not! They’re just translations. For me, speaking all three languages, that’s very confusing. It’s like saying, OK the English license, the French license, and the German license. Whatever :-)
Consider me a beginner in this area but doesn’t open source software contributors earn from the support work ?
When first time I heard about Open Source Software in our college time frame, my first question to the speaker was how Open Source Software companies survive and the answer was through support and implementation help provided to the users of the software.
This is mostly only true for very large companies like Red Hat, Oracle, IBM, etc, which choose to publish parts of their software as Open Source for strategic reasons. Many Open Source developers, however, do their work during their free time. You could consider this “charity work”, donated to the public. There is certainly no money in that sort of business, not even from support.
Nice post. Can you measure how much free/libre and open source software had you used to create, publish and share it?
You should take a closer look to free software. Free as in beer is not free software.
These distinctions are very subtle, at least in our opinion. We don’t think there is a clear line between what people have come to call “free” vs. “libre”. Someone always owns the product in one way or another, and it has always been fine with the original idea of “free” software to make money with parts of it.
Yes, I can measure how much free and open source software we used to create, publish, and share it. Let’s name a few:
So, “free” is obviuously not avoidable in modern times. This is good, because Open Source software has many merits and has been a true business enabler. But this is NOT because of the “free” vs. “libre” distinction. No one cares (in every day life). This is because of the price, which is the whole point of this article. OSS consumers only see “free as in beer”. This is an attitude towards OSS in general.
Note, that with jOOQ, we’re trying to reflect this entanglement between commercial and Open Source software by the fact that we contribute a truly free (ASL 2.0 licensed) jOOQ Open Source Edition with all the features for use with OSS databases. Only usage with commercial databases requires a commercial license.
Yep, this is how most of people think. Free as in beer. But it isn’t nearly close the main reason FLOSS became mainstream. The only one reason is because of the hackers behind it, like the OpenSSL developers, but also like Ken Thompson, Dennis Ritchie, Stallman, Linus Torvalds, Guido van Rossum, DHH, not companies.
Nobody do FLOSS with the intention of increase others’ profit. We are only itching our own scratch. And sharing recipes. Ordinary people may not care about it, but this only make them ignorant.
PS: I don’t disagree with commercial licenses in free software. I’m only criticizing the critic.
While the guys you’ve listed are certainly an influence for our industry, the main reason they really were effective is the price they put on their software: $0.00. It is hard to beat that price with commercial software, specifically if the software is as good as Linux, Git, etc.
But again. Success is based on supply and demand. And there has been a lot of demand for “cheap” or even “free” software. Whether there is any philosophy behind it or not is irrelevant. While Firefox followed a “greater common goal” (whatever that should mean), Google Chrome simply wants you to share your data with Google. For free (as in beer)…
You can use the thought you want to justify your own “ambition” but free software isn’t about make a profit. And I guess that’s why the guys that contributed with your project didn’t continue.
Could this bug been avoided if openSSL would be paid-only software?
Did this realy matter here?
5 1/2 things to remember about “new features”:
– Do not implement new features until they are realy necessary.
– Do not implement new necessary features which do more than they are expected to do.
– If a new feature has to handle data from the world outside remember: never trust a stranger.
– Do not let students implement new features into safety-critical software. Especially if it´s a software on which so many peoples security rely on.
– Test new features; here esp for bad input.
– Bonus : Do not commit at new years eve.
Can´t see where money could have helped avoiding this bug.
No, it might not have prevented the bug. But neither has OSS. The point is that OSS is in no way better or different than commercial software, which has been what many have claimed in the past.
Nice list, btw. I absolutely agree with all of them :-)