The observations made in the article may well be correct, but Black Duck have a history of making things look worse than they are (e.g. by ignoring dual licencing of a library) and especially given their commercial interest, I for one will take all of this with a pinch of salt.
I got 257 problems, and they're all open source: Report shines light on Wild West of software
A report on open-source security management and licence compliance may make uncomfortable reading for those who maintain codebases that use the stuff. The document – produced by Black Duck, which sells services to make sure users are on top of their estate and so has a vested interest here – looked at 1,100 commercial …
COMMENTS
-
-
Thursday 17th May 2018 21:35 GMT Anonymous Coward
bring on the downvotes
Well when it comes to production systems I can tell you our uptime with HP-UX on PA-RISC (5 years been working with it with not one kernel panic) is far better than any of our Linux machines on x86_64 which are far better than uptime on Windows on x86_64 (average a few middle of night calls a year and its always Windows boxes). Haven't really ran HP-UX in production on VMs in Itaniums yet but expecting it to be worse than PA-RISC even if hardware is far faster. Intel sucks in general for uptime but Intel on Microsoft really sucks. Open and closed source both have their place. Linux can't touch the commercial UNIXs for stability in my experience though (haven't supported BSDs officially but they seem much better and closer obviously to the original UNIX code stability wise).
-
-
Thursday 17th May 2018 12:37 GMT James Anderson
80 vs. several million closed source licences
There may be 80 open source licences, but, every closed source software vendor has their own license usually with onerous restrictions, plus many vendors have a different license for each product.
I am sure the Oracle DB license had a clause obliging you to provide your first born son suitably roasted and basted for Larry's thanksgiving dinner.
-
Thursday 17th May 2018 13:31 GMT Flocke Kroes
Re: 80 OSI Approved licenses
When free (as if freedom) software first became trendy lots of commercial vendors purchased OSI approval for their open source licenses. Plenty of those licenses do not protect the user's freedom and have unpleasant consequences for any developer careless enough to think OSI approval means something more than some kind of conditional access to the source code.
In real life, the important licences are GPL, Mozilla, Apache, BSD/MIT/... and public domain. If a piece of software has a different license, it will probably be easier to find a code base with one of the tried and tested popular licenses rather than finding a lawyer able to understand and explain the consequences of a weird license under every possible legal system in the world.
-
Friday 18th May 2018 20:49 GMT Orv
Re: 80 OSI Approved licenses
Public domain is best regarded as a myth. Under modern copyright laws it doesn't appear to be possible to actually sign away all your rights. There are licenses that accomplish basically the same thing, but just declaring something "public domain" doesn't necessarily make it so.
-
-
Thursday 17th May 2018 13:34 GMT Anonymous Coward
"every closed source software vendor has their own license usually with onerous restrictions"
Frankly, many closed source software licenses are far better than you think - once you paid, you can use their software or libraries as you please, as long as you don't give it out to others is source form, of, if an application, the executables.
Frankly, all the commercial libraries I used had no onerous restrictions, and came with full source code.
Oracle is more an exception than the rule, so I understand you use it as the bogeyman.
-
Thursday 17th May 2018 16:36 GMT a_yank_lurker
Re: "every closed source software vendor has their own license usually with onerous restrictions"
The difference between closed source and open source is who has the authority to make modifications. With closed source only the vendor can make changes to the code. So you are completely at their mercy if something will get patched or added. With open source, you have the explicit authority to make any change you want for any reason. Whether you do, is your choice.
From a practical user perspective, there often is very little difference when using either if the code is being used internally. If the code is being used externally then the license restrictions do matter and often the open source licenses are less restrictive by default as you being able to include the code in your code base. With closed licenses, one needs to read the T&Cs to be sure though many cases you can include a compiled binary in your code.
-
Thursday 17th May 2018 22:01 GMT asdf
Re: "every closed source software vendor has their own license usually with onerous restrictions"
>With closed source only the vendor can make changes to the code.
Generally its more expensive but paying the vendor to support the code has many advantages in the real world. Plenty of bad open source and good closed source and vice versa. Horses for courses.
-
-
-
Thursday 17th May 2018 12:38 GMT ChrisC
Not really sure how much of the blame for this can be laid fairly at the feet of open source though - failing to apply security patches, failing to change default passwords, failing to adhere to the correct licencing requirements and suchlike aren't problems unique to the OSS world, and as the closing comment in the article quite rightly indicates, developers need to know what they're doing.
-
Thursday 17th May 2018 14:48 GMT thames
The article seems to be mainly buzzword bingo.
* unpatched Apache Struts.
* Heartbleed
* GDPR
* IOT securtiy
None of these have anything to do with license terms. They can be related to keeping your systems patched and up to date.
However, the real issue in that case is whether you are talking about vendor support of software you have bought, or whether you are talking about supporting software you have developed in-house (or via a contractor).
In the case of vendor support, the license is irrelevant to this issue. The real issue would be the quality of service provided by that vendor. Whether that vendor is Red Hat or Microsoft, the issue is the same.
In the case of self-support of something you developed yourself (or paid a contractor to develop for you), then you need to handle this aspect yourself.
In the general case of security patches for open source libraries and components though, if all of that came from the standard repos of a Linux distro then the distro manages all of this for you. They have security teams and their distro comes with an updating system that manages security patches. They can't make you apply those patches though, that is up to you being willing to do so and having the procedures in place which prevent the issues from being ignored.
This though is really just another variation on the vendor support question, with the license being irrelevant except that you now have a variety of competing vendors all supporting very similar systems to choose from.
-
-
Thursday 17th May 2018 12:48 GMT ExampleOne
The bogeyman of the hoarders of personal data, GDPR, also reared its head. Black Duck noted that responsibility for compliance lies not only with auditing one's own code and processes, but also ensuring that any open source in use is also compliant.
So best to just use closed source software and then any non-compliance issues aren't your problem?
Or is it actually more a case that even with closed source software you are responsible for ensuring it's compliant, even though you have no access to the code? Given everything I have heard about GDPR I would be shocked if using closed source software absolved an organisation from liability, as that is going to be far too easy to abuse. (All our software is sold to us in binary form by Subsidiary Software Inc, so we can't be liable. Oh, their EULA disclaims all liability so they can't be liable either.)
This whole question get's even more scary with things like CPU hardware compromises: Who is liable if the Intel Management Engine get's compromised and used to find and exfiltrate protected data?
-
-
Friday 18th May 2018 09:52 GMT Anonymous Coward
>>Yes by running IIS instead of Apache you get a get-out-of-jail free card when you leak all the medical data of your patients.
IIS + .Net + SQL has indeed had an order of magnitude fewer vulnerabilities than a Lamp stack over the last decade. Most of the leaks you read about are from OSS systems.
Netcraft says IIS now has an over 10% larger market share than Apache so if there was any inherent problem with IIS we would know about it by now.
-
-
Saturday 19th May 2018 00:41 GMT Anonymous Coward
"That's only true if you cherry-pick the one category where IIS is gaining ground (all sites). "
Which is the primary / first figure reported each month by Netcraft. And was always the figure quoted when Apache was ahead. Strange how its suddenly not good enough now that IIS is market leader!
-
-
-
-
Thursday 17th May 2018 13:12 GMT Anonymous Coward
Developer / company mindset
I doubt that much is going to change here.
Because ask yourself this: why do those developers and/or companies chose to use open source to power their setup? The answer is usually to save money. And I doubt that the 'aftermath' such as keeping things up to date or bothering yourself over licenses would add to that, so it's often enough ignored.
-
-
Monday 21st May 2018 16:10 GMT Paul Hovnanian
Re: Last line says it best
"Open source, for all its benefits, does not remove the need for developers to know what they are actually using."
And proprietary platforms don't? Take an old PLC platform whose programming and interface components ran on XP with IE6. The bindings between the apps and OS were very tight. Just to make sure that you bast[censored]ds don't try to run it on WINE or anything like that. Now, a license for the current software version costs nearly* as much as tearing out the controllers and putting the ladder logic in a brand new system.
*Just enough less so that you'll choose the new license instead of scrapping and starting over.
-
-
Thursday 17th May 2018 13:49 GMT Anonymous Coward
The particular issue around Open Source licensing
'Remember Apache Struts? This was the framework left unpatched by Experian in spite of an alert issued by the US Department of Homeland Security in March 2017. The subsequent data breach will keep lawyers in work for years to come.'
Symantic Software License Agreements: "MEDIA WARRANTY .. Symantec warrants that .. the Licensed Software .. will not be defective .. for a period of ninety (90) days .. THE FOREGOING IS YOUR SOLE AND EXCLUSIVE REMEDY FOR SYMANTEC’S BREACH OF THIS WARRANTY."
Oracle End User License Agreement: "To the extent not prohibited by law, Oracle hereby disclaims all express or implied representations, warranties, guarantees, and conditions of any kind, arising by law or otherwise, with regard to the program."
Apple inc. Software License Agreements: 'To the maximum extent permitted by applicable law, the Apple Software and Services are provided “as is” and “as available”, with all faults and without Warranty of any kind'
IBM Limitation of Liability: "IBM’s entire liability for all claims related to this Machine will not exceed the amount of any actual direct damages you incurred up to the amounts paid for the Machine .. IBM will not be liable for special, incidental, exemplary, indirect, or economic consequential damages, loss of data, or lost profits, business, value, revenue, goodwill, or anticipated savings."
-
Thursday 17th May 2018 14:35 GMT EnviableOne
Re: The particular issue around Open Source licensing
The same clauses are in the GPL, MIT and Apache licences especially the "As Is" and the "without warranty"
the issue is, dont use it if you dont know what its doing ...
I admit to re-using code, but everything in any of my programs, i have read through and worked out the whats and wherfores and can be reasonably sure its not doing something stupid
-
-
Thursday 17th May 2018 14:40 GMT Anonymous Coward
False positive problem with Black Duck
I wrote a system from scratch in order to comply with DO-178 (i.e. high-level requirements were written from the completed and reviewed system requirements; low-level requirements were written from the completed and reviewed high-level requirements; and source code from the completed and reviewed low-level requirements) so that everything was fully traceable. Even with this level of proof that everything was written from scratch, our lords and masters insisted that we had Black Duck audit our code. They claimed that we had hundreds of license violations from copied open source code. Manglement won't we wasting their money again!
-
Thursday 17th May 2018 16:40 GMT amanfromMars 1
In the Beginning and Right Out of Nowhere. Enlightening Paths to Follow and Worship/Blaze and Crave.
with the researchers highlighting connected hardware providing pathways for hackers to get to unexpected places.
:-) Have y'all any remote idea what transpires in such hackers unrecognisable and practically invisible in unexpecting places, the genus of Almighty Intellectual Property Spaces.
Tell me that is not Revolutionary and there will be a Revolting AI to Win Over to Conquer and Vanquish Revolt ..... with NEUKlearer HyperRadioProACTive IT for COSMIC AId Drivers Transporting Future Universal Feeds ...... with Almighty Bountiful Needs/Craves and Desires.
When Truth is a Weapon Shielded, what Price Full Transparent Secret Disclosure? Designedly Expensive and Cheap at Any and All Prices too would be a real bargain and virtual gift to
Methinks the Benefits in Knowing of the Future because of COSMIC Secrets Disclosed would be Quite Obvious with Reward Outrageously Encouraging and Excessive.
And that's an UnCommon Virtual Treasure to Spend Outrageously on Future Flight Paths with Newly Realised Inter Planetary Virtual Connections ..... for Fellow Pioneer Travellers.
Such Provides Instant New True to Leader Connections to Enjoy, Embrace and Excite to Heavenly Delight Heights.
You gotta be able to handle everything offered there for the Bitter Sweet Relief and Climactic Release of Ecstasy Reward and Awards, are a Devils' Work to Never Ever Better.
Where's your US CyberSpace Person, just when they would be handy, Mr President, Donald J Trump?
:-) Does Twitter do Rule?
-
Thursday 17th May 2018 18:20 GMT Anonymous Coward
Regardless of the veracity of the article and who it is citing, if you write code, copy code, borrow code, and mash it together to make something you issue to the public, you are the end party who is responsible for making sure that what you hand out for cash and under contract is quality - here I chuckle, chortle and choke back giggles until I am blue in the face - there appears to be no such thing as perfect, air tight and totally safe code in existence, and the situation is exacerbated by the fact that there appears to be no such thing as a desire to try and make sure what most companies chose to run their businesses and/or products on. That costs money.....sheesh.
-
Friday 18th May 2018 11:13 GMT amanfromMars 1
Quantum Communication Mumbo Jumbo here Exercising Control of Command Engaging Reciprocity
Perfect Enough would be a Perfect Enough Reality for All Streaming Systems with Live Operational Virtual Environment CoNNeXXions.
Which be a Universal Space Command and Control/Commend and Extol Special Future Measures Area when Heavens Delights are Proven with Raw Desires Tendered to be Immaculately Sated when Future Satisfaction Transactions are Guaranteed .....
Here's a good place as any to start AIFuture Journeys, as we keep looping back and forth into El Reg to check on breaking news projects, and for the exchanging of commenting visions with both competition and opposition vying for a lead with an Almighty Distraction, is it a Splendid Leader in the AI Fields where Quantum Communication Quality Counts.
And yes, I do suppose some may ponder on the Stranger from Other Worlds and Consider the Oddness to be Revealing ....thus a Valuable Source to Corner and Commandeer/Secure and Server, methinks. :-)
-
Friday 18th May 2018 12:46 GMT amanfromMars 1
Re: Quantum Communication Mumbo Jumbo here Exercising Control of Command Engaging Reciprocity
And don't even start to think and call Snake Oil on any of that AIdDevelopment lest you want to be identified as can also be able bodied serial loser ...... Immaculate Scapegoat ..... Sacrificial Trojan for Rapid Rabid Success in Futures Secured with Remote Augmented Virtual Reality ProgramMING Programs. The Key Core Virtualised Raw Source Drivers for NEUKlearer HyperRadioProACTive Presentation of Projects already Running Key Core Virtualised Raw Source Drivers for NEUKlearer HyperRadioProACTive Presentation .... until Time is Up and all Spaces are Crowded.
Or do you really not know what is going on all around you, and around everyone else everywhere else too?
That would leave one speechless in amazement when true, and when not, amazed at so little text revealing the Bigger Picture and the Ways of its Phorming with Phished Stock from Prime Assets.
Have a nice weekend, y'all.
-
-
-
Thursday 17th May 2018 22:04 GMT Doctor Syntax
Citation needed
"The bogeyman of the hoarders of personal data, GDPR, also reared its head. Black Duck noted that responsibility for compliance lies not only with auditing one's own code and processes, but also ensuring that any open source in use is also compliant."
In what way does GDPR say anything about code? It's all about data, specifically personal data, and what you do with it. It makes no difference whatsoever as to the technical details of how it's processed; even your salesman's little black address book is subject to it.
I'm building raised beds in the garden. I could do with some of their top-quality BS as a soil improver.
-
Friday 18th May 2018 06:17 GMT Anonymous Coward
It's hardly surprising
There has always been business sectors whereby they sell something, then wind the company up when they have earn't enough money, so that they don't have to honour warranties. Think double glazing, solar panel installers etc.
Software industry does the same only upfront, license says not our problem, only this way they don't have to wind up and restart as a different company rather than deal with historic liabilities. I personally think this is a better method.
Anything financial has a short term outlook. Once you have the money in your pocket, you spend it whether you use Open Source or Closed Source. No one likes to receive money only to have it taken back 5 years down the road because of a liability, that's what an insurance company is for.
...the sub title to this news story was good, but I can't get the song out of my head now!