Everyday, when I have breakfast, I read the title page of the local newspaper. There is usually nothing interesting on it and therefore I never make it more than one or two pages in. But this morning, a huge article on the title page caught my attention. It was about Heartbleed.
I am surprised by what kind of media is contacting so called “experts” these days to print interviews with them about how to pick a good password and printing their opinions that this is the “worst” that could ever happen to the Internet and that the Internet is not safe any more. What a colossal b***s***. The media had it’s story and was now searching for the right people that give them the quotes they need. Please, don’t believe that.
I am not going to deny here that Heartbleed is in fact a security issue. It is bad, for sure. But it is not “the worst” and it is fixed by now. Why is it not the worst? Because there are plenty of other ways how attackers get to your credit card details and passwords. Companies constantly loose user databases with lots of sensitive information. Nobody cares about that too much, but it is essentially the same. I think that is much worse.
It is reported, that the author of the patch that introduced Heartbleed gets lots of emails with threats and other accusations. People blame him that he should have paid more attention to the code he submitted. The author himself blames the reviewers who reviewed the code that it is in fact their fault. It clearly is not. I wish the author had paid a little more respect towards OpenSSL and that he was aware of the impact the submitted code had. It is very sad and I also feel disgusted by him that is trying to blame other people. That is no excuse to submit bad code. He simply could have apologised for the mistake he has made and this would have been over. We all make mistakes from time to time, although we should always try our best to avoid them. In the end, it is just important to learn the lesson, which he certainly did not.
I really don’t care about him, but I care for the reputation of Open Source software. In the article in my local newspaper and at other sources, people aim for a frontal attack against Open Source software. The say that it was bad to develop software in the open because all sorts of errors are visible and attackers can simply find them and exploit them. The say that peer review did not work. They say that closed source development solved these issues. All these arguments are just false.
I view it the opposite way around: Closed software development in companies became much more like Open Source development. Nobody is developing software in the old style. “Agile development” is the way to go. With testsuites, peer reviews, and a wiki for technical documentation. Just like Open Source. They adapted their development models from Open Source development models simply because of their huge success. The Linux kernel is for example the biggest open software project in the world. It has several thousand contributors, hundreds of maintainers and it is completely distributed and open. I don’t need to explain you how successful the Linux kernel is. Maintaining such a huge code base with so many different interests would not be possible in any company.
The claim that Open Source projects need to be more driven like companies. That they need to be commercialised to guarantee a certain degree of quality is ridiculous. Due to the open license of OpenSSL, two researchers (independent from each other) found the issue, reported it and fixed it. That would not have been possible with a closed development model. That ability that you can patch your own version of OpenSSL and replace the broken version in your system with a fixed one is a huge benefit of Open Source software. Lots of companies benefit from Open Source software. They use open components like OpenSSL for cryptographic tasks in many closed source programs because nobody wants to implement that one over and over again. People trust in the quality of OpenSSL, the Linux kernel and other Open Source software. That is for sure.
But why is Open Source software of such a high quality? I think the reason for that is simply because people care about their own projects. When the IPFire project was started, I cared very much about doing a good job with it. Over the time, many more people joined the project, because they care as much as I do. So there are now many people involved that want to see IPFire getting a bit better every day. They don’t want to see quick-and-dirty solutions. They want to see good and maintainable code. They want to be part of a great project.
In the world we are living at, it is all about the money and so passionate developers need to make sure that their fridge is filled up from time to time as well. So, donating money to them helps them to pay for coffee and all other things they need to do their jobs. It gives them more time to focus on what they are passionate about – their code. Some regard Open Source software like as it has always been there and it is free (as in free beer). Actually, someone has spend hours and hours programming it, testing is and there is also much more to do than just code.
Then people come, take the software, use it in their own products and start complaining very loudly if there is a bug that causes them trouble. This isn’t just mean. It outrages me that people constantly moan about they want this feature or that feature and that they are trying to force developers into implementing it – for free, because they think that Open Source software is all about “free”.
I regard it as their responsibility to give something back to the Open Source community. That is not necessarily money. The reason why we are asking for money is that we can decide for what we want to use it. The developers have a good overview about the project and can decide best what to spend it on. But what is even more valuable for a project like IPFire is your own time. Contribute yourself. Start caring and get passionate about something.
That means, that it would make me happy if we had more people contributing to the code. There are many things to do. Cleaning things up. Updating packages. Translations. Implementing new features. You name it. If you want to start contributing, you don’t have to know the code from the beginning to the end. Nobody did when they joined the project. Take it as a chance to learn new things. A new programming language. How to write good documentation in your second language. Fix something that bothers you all the time and that you want to see fixed. Review proposals and code changes from other people and give them hints about how to improve them.
If you are not satisfied with the free software someone has given to you, then don’t blame them to fix it for you. It is open. Download the code, change it, and send back the changes. It is your chance to improve it. Other might not find something as important as you do. If you don’t know how, then start a discussion on the mailing list and search for other people who want to see the same thing fixed. Together, you can concentrate your efforts and resources and make even bigger things possible!
That is what Open Source software is actually about. It does not need companies who develop secure code behind closed doors. It just needs people to care about it and that’s all what we, the Open Source community, have to do to produce high quality software. There are plenty of examples where this works and I don’t want to see this destroyed just because someone who just made a huge mistake and does not know how to handle it.
I would never allow it to let this spoil it for the rest of us.
P.S. Because I keep getting emails asking me this over and over again: IPFire 2.13 and all previous versions use OpenSSL 0.9.8 or less, so they are NOT vulnerable for Heartbleed.