[clug] [OT] 'Technical Debt' in Infrastructure, now entering mainstream media

Sam Couter sam at couter.id.au
Sat Nov 9 23:16:30 UTC 2019 

Hi Bob,

I don't mean to discourage people, experienced or otherwise, from using or
contributing to open source code. It's very important and as I implied it
has great value.

Nobody is born with experience. Nearly everybody starts off writing bad
code. Reflecting on, practicing and improving our skills is how we get
good. Contributing to open source is a great way to get code reviews and
high quality discussion happening.

High quality code usually isn't created out of thin air. Linux code wasn't
good in the beginning for many reasons, including Linus' lack of
experience. That changed as Linus gained experience, Linux gained
contributors and robust discussions occurred.

I don't think it's elitist to acknowledge that inexperienced developers
create technical debt. I also don't think technical debt is the end of the
world, it just needs to be identified and managed.

As far as open source contributions go, my credentials are pretty weak. So
you may ignore my opinions of you wish, I won't be offended.


On Sun, 10 Nov 2019, 09:19 Robert Edwards via linux, <linux at lists.samba.org>
wrote:

> I am somewhat disquieted by some of Sam's throwaway lines here, which
> caused
> me to reflect on why I participate on this mailing list. To which I can
> say that I am
> on this list to defend, support, encourage and celebrate the development
> and use
> of Free and Open Source Software, esp. including the Linux kernel.
>
> So, I put OpenSSL, the Kernel and Samba into the frame with my highly
> sarcastic
> response to Paul's well-intentioned, but ultimately existentially
> threatening post.
>
> Now it is upon me to call out a description of the OpenSSL code quality
> as fecal
> matter, with zero supporting arguments, documentation, references etc. And
> similarly with the initial releases of the Linux Kernel.
>
> I'm not familiar with Sam's credentials in this area. I am guessing that
> he may be
> referring to responses to various vulnerabilities discovered in the
> OpenSSL code
> base over the years, the most spectacular of which is known as
> Heartbleed. The
> response to which was multiple forks of the project, some of which
> managed to
> remove almost 100,000 lines of code contributed, in the large, by well
> meaning
> contributors, but introducing many more vulnerabilities. Another
> response, to
> address this technical debt, was the Linux Foundations Core Infrastructure
> Initiative, a good outcome, in my opinion.
>
> I have attended multiple Web Security training courses and my
> understanding is
> that OpenSSL is still the gold-standard in tooling for web security
> analysis. That
> doesn't speak to it's code quality, but is evidence that it is held in
> high regard
> and so many, like me, are prepared to wear the technical debt risk over the
> greater risk of vendor lock-in if projects like OpenSSL didn't exist.
>
> I should also point out that there are multiple SSL libraries out there,
> including
> other Free and Open Source implementations, such as GnuTLS (Free Software
> only), which I have written code against, so have some vague working
> knowledge
> of it. I celebrate all the FOSS SSL libraries and note that OpenSSL is
> not the only
> security library to have had vulnerabilities detected over the years.
>
> Onto the slight again Linus Torvalds and the implied assertion that the
> early
> Linux kernels were also fecal matter. I just want to point out that
> Linus is still
> the kernel lead, after many decades, and the originating author of other v.
> significant projects, not least of which is git. He deserves much
> greater credit
> and respect for his contributions than the implication that he can't write
> non-fecal code.
>
> Why is any of this important? Paul's post that I responded to rubs up
> against
> some core Free and Open Source foundational attributes, one of which is the
> permission to write "junkcode". Writing and sharing junkcode has been a
> foundational educational experience and freedom to me and many others.
> What others choose to do with my junkcode is up to them. If a Linux
> distribution
> or manufacturer with embedded FOSS code chooses to include some of my
> junkcode in their distro or product, that is on them, not me.
>
> Is this akin to von Braun saying that he was just developing rockets, it
> was
> on the Nazi leadership who deployed them as WMDs? Or a gun manufacturer
> hiding behind the shooter being the sole responsible party?
>
> I don't know and I sure hope not. I do want to encourage the next
> generation
> of Free and Open Source coders to have a go and not feel constrained
> because
> their pet project may cause someone to have some additional technical debt
> in the future.
>
> Paul's additional comment that there is a "right way" to write code, and
> that
> it is "simple" to get it right also smack of a kind of elitism to me,
> esp. in the
> absence of any further details of what that right way might be.
>
> My >A$0.02 worth.
>
> cheers,
> Bob Edwards.
>
> On 8/11/19 6:50 pm, Sam Couter via linux wrote:
> > As far as code quality goes, OpenSSL is still poop. So was the Linux
> kernel
> > before everybody who wasn't Linus got into it. Tridge is somewhat of an
> > outlier, and will probably admit the first version of samba wasn't
> perfect
> > either.
> >
> > In short, these are a bunch of examples supporting Paul's point. Those
> > projects all started with huge technical debt and their value lay
> elsewhere.
> >
> > On Fri, 8 Nov 2019, 18:30 Stephen Hocking via linux, <
> linux at lists.samba.org>
> > wrote:
> >
> >> OpenSSL, methinks.
> >>
> >> On Fri, 8 Nov 2019 at 09:49, Kathy Reid via linux <
> linux at lists.samba.org>
> >> wrote:
> >>
> >>>> Imagine a world where, for instance, most of the O/S kernels were
> >>>> written by a second year undergrad from a non-English speaking
> >>>> country - doesn't even bear imagining.
> >>> Linus Torvalds, Linux
> >>>> Or if the dominant file-server
> >>>> were written by a PhD student with a physics background who did
> >>>> it just to solve a short-term problem.
> >>> Tridge, Samba
> >>>> Or if most people were
> >>>> relying on a security protocol cobbled together by a pair of students
> >>>> from a backward place like Queensland... Dystopia!
> >>> This one eludes me? It's not Diffie-Helman or GPG. TLS?
> >>>
> >>> --
> >>> linux mailing list
> >>> linux at lists.samba.org
> >>> https://lists.samba.org/mailman/listinfo/linux
> >>>
> >>
> >> --
> >>
> >>    "I and the public know
> >>    what all schoolchildren learn
> >>    Those to whom evil is done
> >>    Do evil in return"            W.H. Auden, "September 1, 1939"
> >> --
> >> linux mailing list
> >> linux at lists.samba.org
> >> https://lists.samba.org/mailman/listinfo/linux
> >>
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

More information about the linux mailing list