back to article Critical 0-days in open source? The problem isn't code, it's CASH

Linux Foundation Executive Director Jim Zemlin thinks the information security world needs fewer surgeons and more personal trainers, and he's putting his organization's money where his mouth is. Speaking at this year's Linux Foundation Collaboration Summit, an invite-only event taking place this week in Santa Rosa, California …

  1. midcapwarrior

    Free

    I was going to make a comment about "free like beer" but nah, that's too easy.

    Money makes the world go round. Even the foss world

    1. Anonymous Coward
      Anonymous Coward

      Re: Free

      That's a major problem with Open Source. If you have unlimited resources then the code is there for you to find new holes in. If the code is proprietary / not public then you have to reverse engineer it and / or fuzz it which is a far more difficult undertaking.

      For instance current Windows version OS code may not be any more secure than Linux but it had fewer publically known vulnerabilities in the last year than just the Linux kernel, let alone a full Linux distribution....

      1. mosw

        Re: Free

        "it had fewer publically known vulnerabilities"

        You can take actions to mitigate the threat of the publicly known vulnerabilities. It is the unknown vulnerabilities that are the biggest threat.

      2. Anonymous Coward
        Anonymous Coward

        Re: Free

        If the code is proprietary / not public then you have to reverse engineer it and / or fuzz it which is a far more difficult undertaking.

        And therefore, only those with a lot to gain will bother.

  2. aaaa

    Failure of the value proposition

    The value of Open Source far exceeds that of Proprietary software, and that is an argument the F&OSS community haven't made well enough over the years, instead the conversation in boardrooms is only ever about cost.

    Of course the price of software has little to do with its cost, the price includes installation, support, ongoing real costs (e.g.: power, cpu, storage), risk to the business using the software, cost of modifying/customise/improving the software (or not being able to), and future migration costs.

    But rather than sell F&OSS on the price, it's done on the cost. And the end result is simply that those most able to pay, and most able to reap the benefit of F&OSS are also the least likely to fund it. Which leads to F&OSS becoming unmaintained and no new young blood wanting to get involved in future F&OSS projects, who instead build iPhone apps.

    The outcome is one perfect for commercial software producers: a failed experiment with F&OSS. All those who clicked 'download' and never clicked 'donate' or 'buy' or 'sponsor' or 'contribute' would never consider themselves part of the problem.

    1. Charles 9 Silver badge

      Re: Failure of the value proposition

      It had always been my experience that the terms "price" and "cost" are reversed compared to how you use them. As in the true cost, the "opportunity cost" of something is more than just the buying price of the item. You mentioned the support and everything else involved, not to mention the fact you're using this versus an alternative system.

      I will agree on the essence of the article, though, that no matter how much you slice it, you need someone to read your code to find those bugs, and since these people need to put bread on the table, cost/benefit analysis is against FOSS unless FOSS can sweeten the deal. Perhaps one of the big stumbling blocks is that very word "Free": as noted frequently here, so ambiguous as to perhaps evoke the wrong image in potential consumers (too much beer, you could say). Perhaps the FOSS movement would be wise to try to change their name to reflect a more precise term behind their cause.

  3. Charlie Clark Silver badge

    Talking shop asks for more money

    Remind me again what the Linux Foundation actually does? Maybe they could give Mr Zemlin some English lessons: "remedy" is also as a verb: "remediate" would be to "re-mediate".

    The OpenSSL bug is interesting. Why did the Linux Foundation not get on board with the LibreSSL project – OpenSSL suffered not just through enough peer review but also being poorly designed. From my own view perspective I can see more and more acceptance of open source software by companies as long as they understand the costs associated with their own customisations and can be reassured that the software is actively maintained. The "free as in free speech" is an unwanted and unnecessary distraction in such discussions so it's good to see it coming up less and less.

    1. wdmot

      Re: Talking shop asks for more money

      "remediate" would be to "re-mediate"

      Or perhaps the Oxford English Dictionary's third, perhaps less-used, entry: "v, trans: to provide a remedy for, redress, counteract". Is that English enough? (And does "redress" mean to "re-dress"? Such an interesting language we have.)

  4. MadMike

    Invulnerable

    The new sparc M7 cpu this year, will be invulneranle to heartbleed and similar attacks/bugs.

    1. Jess--

      Re: Invulnerable

      so is a housebrick

      1. Anonymous Coward
        Anonymous Coward

        Re: Invulnerable

        As is a boat anchor...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020