Open Source Guru Admits to "Mismatched Incentives" and "Serious Trouble Down the Road"
(p. B1) SAN FRANCISCO -- The Heartbleed bug that made news last week drew attention to one of the least understood elements of the Internet: Much of the invisible backbone of websites from Google to Amazon to the Federal Bureau of Investigation was built by volunteer programmers in what is known as the open-source community.
Heartbleed originated in this community, in which these volunteers, connected over the Internet, work together to build free software, to maintain and improve it and to look for bugs. Ideally, they check one another's work in a peer review system similar to that found in science, or at least on the nonprofit Wikipedia, where motivated volunteers regularly add new information and fix others' mistakes.
This process, advocates say, ensures trustworthy computer code.
But since the Heartbleed flaw got through, causing fears -- as yet unproved -- of widespread damage, members of that world are questioning whether the system is working the way it should.
"This bug was introduced two years ago, and yet nobody took the time to notice it," said Steven M. Bellovin, a computer science professor at Columbia University. "Everybody's job is not anybody's job."
. . .
(p. B2) Unlike proprietary software, which is built and maintained by only a few employees, open-source code like OpenSSL can be vetted by programmers the world over, advocates say.
"Given enough eyeballs, all bugs are shallow" is how Eric S. Raymond, one of the elders of the open-source movement, put it in his 1997 book, "The Cathedral & the Bazaar," a kind of manifesto for open-source philosophy.
In the case of Heartbleed, though, "there weren't any eyeballs," Mr. Raymond said in an interview this week.
. . .
The problem, Mr. Raymond and other open-source advocates say, boils down to mismatched incentives. Mr. Raymond said firms don't maintain OpenSSL code because they don't profit directly from it, even though it is integrated into their products, and governments don't feel political pain when the code has problems.
With OpenSSL, by contrast, "for those that do work on this, there's no financial support, no salaries, no health insurance," Mr. Raymond said. "They either have to live like monks or work nights and weekends. That is a recipe for serious trouble down the road."
For the full story, see:
(Note: ellipses added.)
(Note: the online version of the story was updated APRIL 18, 2014, and has the title "Heartbleed Highlights a Contradiction in the Web.")
Raymond's open source manifesto is:
Raymond, Eric S. The Cathedral & the Bazaar: Musings on Linux and Open Source by an Accidental Revolutionary. Sebastopol, CA: O'Reilly Media, Inc., 1999.