Wednesday, May 07, 2014

Is there a conflict at the heart of open source?

The recent Heartbleed issue has awakened new interest and discussion in the role of open source in important infrastructure. In a thoughtful post at Dr Dobbs, Andrew Binstock [1] raises the topic of fundability of open source projects as related to the license chosen by the project. I think there are important questions here, but not risky issues. In my opinion, the model of open source development is resilient and offers several approaches for these kinds of projects.

Indeed, open source developers can be funded directly. However, I think a very good approach is the Linux Foundation's Core Infrastructure Initiative. [2] This initiative can address a few important considerations in a more scalable way, for example, governance (once money is involved, governance is important, but also its important when coordinating important projects that cross markets and users, etc...) Also, rather than address individual projects piece-meal, this is a forum that should be able to take a broad view and scale across many potentially needy projects.

I think it'd be fun, and useful, to have some form of Kickstarter-like approach for crowd-ish funding of open source projects. Maybe the benefit to the funder would be a feeling of satisfaction and indirect contribution, and maybe even a name-check shout-out in the source code someplace.

As to whether the open source model can be trusted at all for important security projects, as touched upon in this Radar [3] post, well, I think Heartbleed and OpenSSL's response showed the system working the way it should. No one should expect the advantage of open source is that code without errors will make it into the world, more importantly, once issues arise they can be rapidly addressed and as a community, we can even understand where the issue arose and learn from that. (Contrast, sometimes, with closed source security libraries.) Trust in open source is not functional infallibility, its more in transparency and process.

Is there a conflict at the heart of open source?  No.

There are other questions, unrelated to open source, that arise when software makes its way into embedded devices and becomes harder to upgrade, but that is a topic for another post or, preferably, people way more smarter than me to address. [4]

[1] http://www.drdobbs.com/open-source/the-conflict-at-the-heart-of-open-source/240168123

[2] http://www.linuxfoundation.org/programs/core-infrastructure-initiative

[3] http://radar.oreilly.com/2014/04/heartbleeds-lessons.html

[4] http://geer.tinho.net/geer.nsa.26iii14.txt

No comments: