[clug] [OT] 'Technical Debt' in Infrastructure, now entering mainstream media

Robert Edwards bob at cs.anu.edu.au
Sat Nov 9 22:13:07 UTC 2019 

I am somewhat disquieted by some of Sam's throwaway lines here, which caused
me to reflect on why I participate on this mailing list. To which I can 
say that I am
on this list to defend, support, encourage and celebrate the development 
and use
of Free and Open Source Software, esp. including the Linux kernel.

So, I put OpenSSL, the Kernel and Samba into the frame with my highly 
sarcastic
response to Paul's well-intentioned, but ultimately existentially 
threatening post.

Now it is upon me to call out a description of the OpenSSL code quality 
as fecal
matter, with zero supporting arguments, documentation, references etc. And
similarly with the initial releases of the Linux Kernel.

I'm not familiar with Sam's credentials in this area. I am guessing that 
he may be
referring to responses to various vulnerabilities discovered in the 
OpenSSL code
base over the years, the most spectacular of which is known as 
Heartbleed. The
response to which was multiple forks of the project, some of which 
managed to
remove almost 100,000 lines of code contributed, in the large, by well 
meaning
contributors, but introducing many more vulnerabilities. Another 
response, to
address this technical debt, was the Linux Foundations Core Infrastructure
Initiative, a good outcome, in my opinion.

I have attended multiple Web Security training courses and my 
understanding is
that OpenSSL is still the gold-standard in tooling for web security 
analysis. That
doesn't speak to it's code quality, but is evidence that it is held in 
high regard
and so many, like me, are prepared to wear the technical debt risk over the
greater risk of vendor lock-in if projects like OpenSSL didn't exist.

I should also point out that there are multiple SSL libraries out there, 
including
other Free and Open Source implementations, such as GnuTLS (Free Software
only), which I have written code against, so have some vague working 
knowledge
of it. I celebrate all the FOSS SSL libraries and note that OpenSSL is 
not the only
security library to have had vulnerabilities detected over the years.

Onto the slight again Linus Torvalds and the implied assertion that the 
early
Linux kernels were also fecal matter. I just want to point out that 
Linus is still
the kernel lead, after many decades, and the originating author of other v.
significant projects, not least of which is git. He deserves much 
greater credit
and respect for his contributions than the implication that he can't write
non-fecal code.

Why is any of this important? Paul's post that I responded to rubs up 
against
some core Free and Open Source foundational attributes, one of which is the
permission to write "junkcode". Writing and sharing junkcode has been a
foundational educational experience and freedom to me and many others.
What others choose to do with my junkcode is up to them. If a Linux 
distribution
or manufacturer with embedded FOSS code chooses to include some of my
junkcode in their distro or product, that is on them, not me.

Is this akin to von Braun saying that he was just developing rockets, it was
on the Nazi leadership who deployed them as WMDs? Or a gun manufacturer
hiding behind the shooter being the sole responsible party?

I don't know and I sure hope not. I do want to encourage the next generation
of Free and Open Source coders to have a go and not feel constrained because
their pet project may cause someone to have some additional technical debt
in the future.

Paul's additional comment that there is a "right way" to write code, and 
that
it is "simple" to get it right also smack of a kind of elitism to me, 
esp. in the
absence of any further details of what that right way might be.

My >A$0.02 worth.

cheers,
Bob Edwards.

On 8/11/19 6:50 pm, Sam Couter via linux wrote:
> As far as code quality goes, OpenSSL is still poop. So was the Linux kernel
> before everybody who wasn't Linus got into it. Tridge is somewhat of an
> outlier, and will probably admit the first version of samba wasn't perfect
> either.
>
> In short, these are a bunch of examples supporting Paul's point. Those
> projects all started with huge technical debt and their value lay elsewhere.
>
> On Fri, 8 Nov 2019, 18:30 Stephen Hocking via linux, <linux at lists.samba.org>
> wrote:
>
>> OpenSSL, methinks.
>>
>> On Fri, 8 Nov 2019 at 09:49, Kathy Reid via linux <linux at lists.samba.org>
>> wrote:
>>
>>>> Imagine a world where, for instance, most of the O/S kernels were
>>>> written by a second year undergrad from a non-English speaking
>>>> country - doesn't even bear imagining.
>>> Linus Torvalds, Linux
>>>> Or if the dominant file-server
>>>> were written by a PhD student with a physics background who did
>>>> it just to solve a short-term problem.
>>> Tridge, Samba
>>>> Or if most people were
>>>> relying on a security protocol cobbled together by a pair of students
>>>> from a backward place like Queensland... Dystopia!
>>> This one eludes me? It's not Diffie-Helman or GPG. TLS?
>>>
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>>
>>
>> --
>>
>>    "I and the public know
>>    what all schoolchildren learn
>>    Those to whom evil is done
>>    Do evil in return"            W.H. Auden, "September 1, 1939"
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>

More information about the linux mailing list