An Open Source Pothole?
September 17, 2010
In the last six months, we have increased our coverage of open source search. There is increasing interest in the use of Lucene/Solr in a number of high profile search deployments. Two examples that come to mind are Cisco Systems and IBM.
On the other hand, there have been stories about Oracle’s Java litigation and write ups like “Code for Open-Source Facebook Littered with Landmines.” This story comes at open source from an interesting angle–security. If there is one hot button in the world of social networking and open source, it is the issue of protecting what should be protected from nefarious activity.
The Register says:
Among the list of reported issues in the code are numerous XSS — or cross-site scripting — attack vulnerabilities, a session token that’s easy to steal, a lack of user input filtering, and repeated errors when a null character is entered into web fields. Encryption features in Diaspora, which runs on the Ruby on Rails software stack, is also susceptible to a recently enhanced “Oracle Padding attack,” being demonstrated this week at the Ekoparty conference in Argentina, but then again, so are many banking apps.
Several questions:
- Does open source code drag along legal eagles regardless of licenses, coder intent, and community advocacy?
- Will other large companies get cold feet due to the actions of certain commercial entities which seem to be increasingly anti-open source when its makes business sense to adopt this position and willing to spend money for legal actions?
- Will the boundary between commercial and proprietary solutions and open source alternatives become a wider, more ambiguous space in which to do business, thus increasing uncertainty about open source options for a business?
With the disruptive nature of open source software in general and open source search in particular becoming evident to us in Harrod’s Creek, we do not have answers to these questions. We are not sure any other party has answers either. We are entering an interesting “tweener” state with regard to open source.
One thing is certain, the issue of security is likely to grab the attention of procurement teams and the media. Identifying security flaws or issues is an emotional and technical issue at this time.
Stephen E Arnold, September 17, 2010
Comments
2 Responses to “An Open Source Pothole?”
Actually the answer is very simple and known but you need to have been around the field for a bit to know: those 3 questions are the same ones people started asking 15 years ago and then 10 years ago and then 5 years ago and then again now and all because the disruption happens every 5 years in a different field and people don’t make the effort to research what happened previously.
The short answers based on the last 15 years of OSS disruption are:
1) no
2) no
3) no
It feels like, without realising it, you are taking on spreading FUD. Check your facts!
Getting security right is hard and relatively few people find it interesting, so you are more likely to find effort put into security in commercial software than in volunteer software.