[clug] [OT] 'Technical Debt' in Infrastructure, now entering mainstream media
Robert Edwards
bob at cs.anu.edu.au
Sat Nov 9 22:13:07 UTC 2019
I am somewhat disquieted by some of Sam's throwaway lines here, which caused
me to reflect on why I participate on this mailing list. To which I can
say that I am
on this list to defend, support, encourage and celebrate the development
and use
of Free and Open Source Software, esp. including the Linux kernel.
So, I put OpenSSL, the Kernel and Samba into the frame with my highly
sarcastic
response to Paul's well-intentioned, but ultimately existentially
threatening post.
Now it is upon me to call out a description of the OpenSSL code quality
as fecal
matter, with zero supporting arguments, documentation, references etc. And
similarly with the initial releases of the Linux Kernel.
I'm not familiar with Sam's credentials in this area. I am guessing that
he may be
referring to responses to various vulnerabilities discovered in the
OpenSSL code
base over the years, the most spectacular of which is known as
Heartbleed. The
response to which was multiple forks of the project, some of which
managed to
remove almost 100,000 lines of code contributed, in the large, by well
meaning
contributors, but introducing many more vulnerabilities. Another
response, to
address this technical debt, was the Linux Foundations Core Infrastructure
Initiative, a good outcome, in my opinion.
I have attended multiple Web Security training courses and my
understanding is
that OpenSSL is still the gold-standard in tooling for web security
analysis. That
doesn't speak to it's code quality, but is evidence that it is held in
high regard
and so many, like me, are prepared to wear the technical debt risk over the
greater risk of vendor lock-in if projects like OpenSSL didn't exist.
I should also point out that there are multiple SSL libraries out there,
including
other Free and Open Source implementations, such as GnuTLS (Free Software
only), which I have written code against, so have some vague working
knowledge
of it. I celebrate all the FOSS SSL libraries and note that OpenSSL is
not the only
security library to have had vulnerabilities detected over the years.
Onto the slight again Linus Torvalds and the implied assertion that the
early
Linux kernels were also fecal matter. I just want to point out that
Linus is still
the kernel lead, after many decades, and the originating author of other v.
significant projects, not least of which is git. He deserves much
greater credit
and respect for his contributions than the implication that he can't write
non-fecal code.
Why is any of this important? Paul's post that I responded to rubs up
against
some core Free and Open Source foundational attributes, one of which is the
permission to write "junkcode". Writing and sharing junkcode has been a
foundational educational experience and freedom to me and many others.
What others choose to do with my junkcode is up to them. If a Linux
distribution
or manufacturer with embedded FOSS code chooses to include some of my
junkcode in their distro or product, that is on them, not me.
Is this akin to von Braun saying that he was just developing rockets, it was
on the Nazi leadership who deployed them as WMDs? Or a gun manufacturer
hiding behind the shooter being the sole responsible party?
I don't know and I sure hope not. I do want to encourage the next generation
of Free and Open Source coders to have a go and not feel constrained because
their pet project may cause someone to have some additional technical debt
in the future.
Paul's additional comment that there is a "right way" to write code, and
that
it is "simple" to get it right also smack of a kind of elitism to me,
esp. in the
absence of any further details of what that right way might be.
My >A$0.02 worth.
cheers,
Bob Edwards.
On 8/11/19 6:50 pm, Sam Couter via linux wrote:
> As far as code quality goes, OpenSSL is still poop. So was the Linux kernel
> before everybody who wasn't Linus got into it. Tridge is somewhat of an
> outlier, and will probably admit the first version of samba wasn't perfect
> either.
>
> In short, these are a bunch of examples supporting Paul's point. Those
> projects all started with huge technical debt and their value lay elsewhere.
>
> On Fri, 8 Nov 2019, 18:30 Stephen Hocking via linux, <linux at lists.samba.org>
> wrote:
>
>> OpenSSL, methinks.
>>
>> On Fri, 8 Nov 2019 at 09:49, Kathy Reid via linux <linux at lists.samba.org>
>> wrote:
>>
>>>> Imagine a world where, for instance, most of the O/S kernels were
>>>> written by a second year undergrad from a non-English speaking
>>>> country - doesn't even bear imagining.
>>> Linus Torvalds, Linux
>>>> Or if the dominant file-server
>>>> were written by a PhD student with a physics background who did
>>>> it just to solve a short-term problem.
>>> Tridge, Samba
>>>> Or if most people were
>>>> relying on a security protocol cobbled together by a pair of students
>>>> from a backward place like Queensland... Dystopia!
>>> This one eludes me? It's not Diffie-Helman or GPG. TLS?
>>>
>>> --
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>>
>>
>> --
>>
>> "I and the public know
>> what all schoolchildren learn
>> Those to whom evil is done
>> Do evil in return" W.H. Auden, "September 1, 1939"
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>
More information about the linux
mailing list